research-article

SiPTA: signal processing for trace-based anomaly detection

Authors:

Mohammad Mehdi Zeinali Zadeh,

Greta Cutulenco,

Sebastian FischmeisterAuthors Info & Claims

EMSOFT '14: Proceedings of the 14th International Conference on Embedded Software

Article No.: 6, Pages 1 - 10

https://doi.org/10.1145/2656045.2656071

Published: 12 October 2014 Publication History

Abstract

Given a set of historic good traces, trace-based anomaly detection deals with the problem of determining whether or not a specific trace represents a normal execution scenario. Most current approaches mainly focus on application areas outside of the embedded systems domain and thus do not take advantage of the intrinsic properties of this domain.

This work introduces SiPTA, a novel technique for offline trace-based anomaly detection that utilizes the intrinsic feature of periodicity found in embedded systems. SiPTA uses signal processing as the underlying processing algorithm. The paper describes a generic framework for mapping execution traces to channels and signals for further processing. The classification stage of SiPTA uses a comprehensive set of metrics adapted from standard signal processing. The system is particularly useful for embedded systems, and the paper demonstrates this by comparing SiPTA with state-of-the-art approaches based on Markov Model and Neural Networks. The paper shows the technical feasibility and viability of SiPTA through multiple case studies using traces from a field-tested hexacopter, a mobile phone platform, and a car infotainment unit. In the experiments, our approach outperformed every other tested method.

References

[1]

Audit data from MIT Lincolin lab. URL http://www.ll.mit.edu/mission/.

[2]

QNX Neutrino RTOS. URL http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html.

[3]

System call dataset from University of New Mexico. URL http://www.cs.unm.edu/~immsec/data-sets.htm.

[4]

Unmanned Aerial Vehicle (UAV). URL https://uwaterloo.ca/embedded-software-group/projects/unmanned-aerial-vehicle-uav-exemplar.

[5]

QNX CAR Platform for Infotainment,. URL http://www.qnx.com/products/qnxcar/.

[6]

QNX Accelerator Kits,. URL http://www.qnx.com/products/reference-design/acceleratorkits.html.

[7]

ISO-26262, Road vehicles -- Functional safety, 2011.

[8]

DO-178C, Software Considerations in Airborne Systems and Equipment Certification, 2012.

[9]

A. K. Ghosh and A. Schwartzbard. A Study in Using Neural Networks for Anomaly and Misuse Detection. In Proc. 8th USENIX Security Symposium, pages 23--36. USENIX, 1999.

Digital Library

[10]

V. Chandola, A. Banerjee, and V. Kumar. Anomaly Detection: A Survey. ACM Computing Surveys (CSUR), 41(3):15, 2009.

Digital Library

[11]

V. Chandola, A. Banerjee, and V. Kumar. Anomaly Detection for Discrete Sequences: A Survey. IEEE Transactions on Knowledge and Data Engineering, 24(5):823--839, 2012.

Digital Library

[12]

X. Cheng, K. Xie, and D. Wang. Network Traffic Anomaly Detection Based on Self-Similarity Using HHT and Wavelet Transform. In Fifth International Conference on Information Assurance and Security, IAS, volume 1, pages 710--713. IEEE, 2009.

Digital Library

[13]

G. Creech and J. Hu. A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguous and Discontiguous System Call Patterns. 2013.

[14]

T. Fawcett. An introduction to ROC analysis. Pattern Recognition Letters, 27(8):861--874, 2006.

Digital Library

[15]

J. Gao, G. Hu, X. Yao, and R. K. C. Chang. Anomaly Detection of Network Trafc Based on Wavelet Packet. In Asia-Pacific Conference on Communications. APCC, pages 1--5. IEEE, 2006.

[16]

S. Jha, K. MC. Tan, and R. A. Maxion. Markov Chains, Classifiers, and Intrusion Detection. In csfw, volume 1. Citeseer, 2001.

Digital Library

[17]

F. O. Karray and C. De Silva. Soft Computing and Intelligent Systems Design: Theory, Tools and Applications, volume 1. Pearson Education Limited, 2004.

Digital Library

[18]

Leveson, N. G. and Turner, C. S. An Investigation of the Therac-25 Accidents. Computer, 26(7):18--41, 1993.

Digital Library

[19]

Lions, J.-L. Ariane 5 flight 501 failure, 1996.

[20]

J. W. S. Liu. Real-Time Systems, 2000.

[21]

W. Lu and A. A. Ghorbani. Network Anomaly Detection Based on Wavelet Analysis. EURASIP Journal on Advances in Signal Processing, 2009, 2009.

Digital Library

[22]

S. S. Murtaza, W. Khreich, A. Hamou-Lhadj, and M. Couture. A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules. 2013.

[23]

A. V. Oppenheim, R. W. Schafer, and J. R. Buck. Discrete-Time Signal Processing, volume 2. Prentice-hall Englewood Cliffs, 1989.

Digital Library

[24]

Pimentel, A. D. and Hertzbetger, L. O. and Lieverse, P. and Van Der Wolf, P. and Deprettere, E. F. Exploring Embedded-Systems Architectures with Artemis. Computer, 34(11):57--63, 2001.

Digital Library

[25]

S. Rawat and C. S. Sastry. Network Intrusion Detection Using Wavelet Analysis. In Intelligent Information Technology, pages 224--232. Springer, 2005.

Digital Library

[26]

M. Salagean and I. Firoiu. Anomaly Detection of Network Traffic Based on Analytical Discrete Wavelet Transform. In 8th International Conference on Communications (COMM), pages 49--52. IEEE, 2010.

[27]

N. Ye and X. Li. A Markov Chain Model of Temporal Behavior for Anomaly Detection. In Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, volume 166, pages 171--174. Oakland: IEEE, 2000.

[28]

N. Ye, X. Li, Q. Chen, S. M. Emran, and M. Xu. Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans, 31(4):266--274, 2001.

Digital Library

[29]

N. Ye, Y. Zhang, and C. M. Borror. Robustness of the Markov-Chain Model for Cyber-Attack Detection. IEEE Transactions on Reliability, 53(1):116--123, 2004.

[30]

M. Zhou and S. D. Lang. Mining Frequency Content of Network Traffic for Intrusion Detection. In Proceedings of the IASTED International Conference on Communication, Network, and Information Security, 2003.

Cited By

Kang DJung ILee KBaek H(2022)Partitioned Real-Time Scheduling for Preventing Information LeakageIEEE Access10.1109/ACCESS.2022.315405510(22712-22723)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3154055
Huang ZChen PYu GChen HZheng Z(2021)Sieve: Attention-based Sampling of End-to-End Trace Data in Distributed Microservice Systems2021 IEEE International Conference on Web Services (ICWS)10.1109/ICWS53863.2021.00063(436-446)Online publication date: Sep-2021
https://doi.org/10.1109/ICWS53863.2021.00063
Baek HKang C(2020)Scheduling Randomization Protocol to Improve Schedule Entropy for Multiprocessor Real-Time SystemsSymmetry10.3390/sym1205075312:5(753)Online publication date: 6-May-2020
https://doi.org/10.3390/sym12050753
Show More Cited By

Index Terms

SiPTA: signal processing for trace-based anomaly detection
1. Computer systems organization
  1. Embedded and cyber-physical systems
  2. Real-time systems
2. Hardware
  1. Communication hardware, interfaces and storage
    1. Signal processing systems

Recommendations

Revision of total hip arthroplasty: Clinical outcome of extended trochanteric osteotomy and intraoperative femoral fracture

In femoral revision arthroplasty the orthopaedic surgeon frequently has to decide between performing an extended trochanteric osteotomy or trying to remove the femoral stem without an osteotomy and taking the risk of an intraoperative fracture. As this ...
Diagnostic value of bone scintigraphy for aseptic loosening after total knee arthroplasty

BACKGROUND: Despite technical improvements, aseptic loosening after total knee arthroplasty (TKA) remains a frequent complication. A one-stage revision arthroplasty is the most common therapeutic pathway.OBJECTIVE: The aim of this study was to evaluate ...
Biomechanical analyses of static and dynamic fixation techniques of retrograde interlocking femoral nailing using nonlinear finite element methods

Femoral shaft fractures can be treated using retrograde interlocking nailing systems; however, fracture nonunion still occurs. Dynamic fixation techniques, which remove either the proximal or distal locking screws, have been used to solve the problem of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EMSOFT '14: Proceedings of the 14th International Conference on Embedded Software

October 2014

301 pages

ISBN:9781450330527

DOI:10.1145/2656045

Program Chairs:
Tulika Mitra
National University of Singapore, Singapore
,
Jan Reineke
Saarland University, Germany

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGBED: ACM Special Interest Group on Embedded Systems
SIGDA: ACM Special Interest Group on Design Automation
IEEE CAS
IEEE Council on Electronic Design Automation (CEDA)
SIGMICRO: ACM Special Interest Group on Microarchitectural Research and Processing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ESWEEK'14

Sponsor:

ESWEEK'14: TENTH EMBEDDED SYSTEM WEEK

October 12 - 17, 2014

New Delhi, India

Acceptance Rates

Overall Acceptance Rate 60 of 203 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
213
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)6

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kang DJung ILee KBaek H(2022)Partitioned Real-Time Scheduling for Preventing Information LeakageIEEE Access10.1109/ACCESS.2022.315405510(22712-22723)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3154055
Huang ZChen PYu GChen HZheng Z(2021)Sieve: Attention-based Sampling of End-to-End Trace Data in Distributed Microservice Systems2021 IEEE International Conference on Web Services (ICWS)10.1109/ICWS53863.2021.00063(436-446)Online publication date: Sep-2021
https://doi.org/10.1109/ICWS53863.2021.00063
Baek HKang C(2020)Scheduling Randomization Protocol to Improve Schedule Entropy for Multiprocessor Real-Time SystemsSymmetry10.3390/sym1205075312:5(753)Online publication date: 6-May-2020
https://doi.org/10.3390/sym12050753
Kauffman SDunne MGracioli GKhan WBenann NFischmeister S(2020)Palisade: A framework for anomaly detection in embedded systemsJournal of Systems Architecture10.1016/j.sysarc.2020.101876(101876)Online publication date: Sep-2020
https://doi.org/10.1016/j.sysarc.2020.101876
Chen CMohan SPellizzoni RBobba RKiyavash N(2019)A Novel Side-Channel in Real-Time Schedulers2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS.2019.00016(90-102)Online publication date: Apr-2019
https://doi.org/10.1109/RTAS.2019.00016
Easwaran AChattopadhyay ABhasin S(2017)A systematic security analysis of real-time cyber-physical systems2017 22nd Asia and South Pacific Design Automation Conference (ASP-DAC)10.1109/ASPDAC.2017.7858321(206-213)Online publication date: Jan-2017
https://doi.org/10.1109/ASPDAC.2017.7858321
Yoon MMohan SChen CSha L(2016)TaskShuffler: A Schedule Randomization Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS.2016.7461362(1-12)Online publication date: Apr-2016
https://doi.org/10.1109/RTAS.2016.7461362
Hobbs C(2015)Integration TestingEmbedded Software Development for Safety-Critical Systems10.1201/b18965-26(279-292)Online publication date: 3-Sep-2015
https://doi.org/10.1201/b18965-26
Cuzzocrea AMedvet EMumolo ECecolin R(2015)Detecting Anomalies in Embedded Computing Systems via a Novel HMM-Based Machine Learning ApproachHybrid Artificial Intelligent Systems10.1007/978-3-319-19644-2_34(405-415)Online publication date: 29-May-2015
https://doi.org/10.1007/978-3-319-19644-2_34

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents