The University of Southampton
University of Southampton Institutional Repository

Early detection of system-level anomalous behaviour using hardware performance counters

Early detection of system-level anomalous behaviour using hardware performance counters
Early detection of system-level anomalous behaviour using hardware performance counters

Embedded systems suffer from reliability issues such as variations in temperature and voltage, single event effects and component degradation, as well as being exposed to various security attacks such as control hijacking, malware, reverse engineering, eavesdropping and many others. Both reliability problems and security attacks can cause the system to behave anomalously. In this paper, we will present a detection technique that is able to detect a change in the system before the system encounters a failure, by using data from Hardware Performance Counters (HPCs). Previously, we have shown how HPC data can be used to create an execution profile of a system based on measured events and any deviation from this profile indicates an anomaly has occurred in the system. The first step in developing a detector is to analyse the HPC data and extract the features from the collected data to build a forecasting model. Anomalies are assumed to happen if the observed value falls outside a given confidence interval, which is calculated based on the forecast values and prediction confidence. The detector is designed to provide a warning to the user if anomalies that are detected occur consecutively for a certain number of times. We evaluate our detection algorithm on benchmarks that are affected by single bit flip faults. Our initial results show that the detection algorithm is suitable for use for this kind of univariate time series data and is able to correctly identify anomalous data from normal data.

485-490
Institute of Electrical and Electronics Engineers Inc.
Woo, Lai Leng
ee042648-77bc-4b5d-979e-a44b302a7ad9
Zwolinski, Mark
adfcb8e7-877f-4bd7-9b55-7553b6cb3ea0
Halak, Basel
8221f839-0dfd-4f81-9865-37def5f79f33
Woo, Lai Leng
ee042648-77bc-4b5d-979e-a44b302a7ad9
Zwolinski, Mark
adfcb8e7-877f-4bd7-9b55-7553b6cb3ea0
Halak, Basel
8221f839-0dfd-4f81-9865-37def5f79f33

Woo, Lai Leng, Zwolinski, Mark and Halak, Basel (2018) Early detection of system-level anomalous behaviour using hardware performance counters. In 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE). vol. 2018-January, Institute of Electrical and Electronics Engineers Inc. pp. 485-490 . (doi:10.23919/DATE.2018.8342057).

Record type: Conference or Workshop Item (Paper)

Abstract

Embedded systems suffer from reliability issues such as variations in temperature and voltage, single event effects and component degradation, as well as being exposed to various security attacks such as control hijacking, malware, reverse engineering, eavesdropping and many others. Both reliability problems and security attacks can cause the system to behave anomalously. In this paper, we will present a detection technique that is able to detect a change in the system before the system encounters a failure, by using data from Hardware Performance Counters (HPCs). Previously, we have shown how HPC data can be used to create an execution profile of a system based on measured events and any deviation from this profile indicates an anomaly has occurred in the system. The first step in developing a detector is to analyse the HPC data and extract the features from the collected data to build a forecasting model. Anomalies are assumed to happen if the observed value falls outside a given confidence interval, which is calculated based on the forecast values and prediction confidence. The detector is designed to provide a warning to the user if anomalies that are detected occur consecutively for a certain number of times. We evaluate our detection algorithm on benchmarks that are affected by single bit flip faults. Our initial results show that the detection algorithm is suitable for use for this kind of univariate time series data and is able to correctly identify anomalous data from normal data.

Full text not available from this repository.

More information

e-pub ahead of print date: 19 April 2018
Venue - Dates: 2018 Design, Automation and Test in Europe Conference and Exhibition, Dresden, Germany, 2018-03-19 - 2018-03-23

Identifiers

Local EPrints ID: 421889
URI: https://eprints.soton.ac.uk/id/eprint/421889
PURE UUID: 9c584d53-f063-4374-beaf-d2346b891602
ORCID for Lai Leng Woo: ORCID iD orcid.org/0000-0003-3313-6177
ORCID for Mark Zwolinski: ORCID iD orcid.org/0000-0002-2230-625X
ORCID for Basel Halak: ORCID iD orcid.org/0000-0003-3470-7226

Catalogue record

Date deposited: 06 Jul 2018 16:30
Last modified: 18 Jul 2019 10:51

Export record

Altmetrics

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of https://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×