Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters

Prashanth Krishnamurthy, Ramesh Karri, Farshad Khorrami

Research output: Contribution to journalArticlepeer-review


We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.

Original languageEnglish (US)
Article number8737990
Pages (from-to)666-680
Number of pages15
JournalIEEE Transactions on Information Forensics and Security
StatePublished - 2020


  • Anomaly detection
  • cyber security
  • malware
  • programmable logic controller
  • resilient control

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters'. Together they form a unique fingerprint.

Cite this