Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters

Prashanth Krishnamurthy, Ramesh Karri, Farshad Khorrami

Research output: Contribution to journalArticle

Abstract

We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.

Original languageEnglish (US)
Article number8737990
Pages (from-to)666-680
Number of pages15
JournalIEEE Transactions on Information Forensics and Security
Volume15
DOIs
StatePublished - Jan 1 2020

Fingerprint

Programmable logic controllers
Hardware
Time series
Classifiers
Monitoring
Testbeds
Computer hardware
Learning systems
Scalability
Labels
Controllers

Keywords

  • Anomaly detection
  • cyber security
  • malware
  • programmable logic controller
  • resilient control

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters. / Krishnamurthy, Prashanth; Karri, Ramesh; Khorrami, Farshad.

In: IEEE Transactions on Information Forensics and Security, Vol. 15, 8737990, 01.01.2020, p. 666-680.

Research output: Contribution to journalArticle

@article{4295f8b0b78949c7b61ea6936dbbe27a,
title = "Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters",
abstract = "We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.",
keywords = "Anomaly detection, cyber security, malware, programmable logic controller, resilient control",
author = "Prashanth Krishnamurthy and Ramesh Karri and Farshad Khorrami",
year = "2020",
month = "1",
day = "1",
doi = "10.1109/TIFS.2019.2923577",
language = "English (US)",
volume = "15",
pages = "666--680",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters

AU - Krishnamurthy, Prashanth

AU - Karri, Ramesh

AU - Khorrami, Farshad

PY - 2020/1/1

Y1 - 2020/1/1

N2 - We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.

AB - We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.

KW - Anomaly detection

KW - cyber security

KW - malware

KW - programmable logic controller

KW - resilient control

UR - http://www.scopus.com/inward/record.url?scp=85072757553&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072757553&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2019.2923577

DO - 10.1109/TIFS.2019.2923577

M3 - Article

AN - SCOPUS:85072757553

VL - 15

SP - 666

EP - 680

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

M1 - 8737990

ER -