TY - JOUR
T1 - Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters
AU - Krishnamurthy, Prashanth
AU - Karri, Ramesh
AU - Khorrami, Farshad
N1 - Funding Information:
Manuscript received January 17, 2019; revised May 28, 2019; accepted May 29, 2019. Date of publication June 17, 2019; date of current version September 24, 2019. This work was supported in part by the U.S. Office of Naval Research under Grant N00014-15-1-2182 and Grant N00014-17-1-2006 and in part by Defense Advanced Research Projects Agency under Air Force Research Laboratory (AFRL) Contract FA8750-16-C-0179. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Chip-Hong Chang. (Corresponding author: Prashanth Krishnamurthy.) The authors are with the Department of Electrical and Computer Engineering, NYU Tandon School of Engineering, Brooklyn, NY 11201 USA (e-mail: [email protected]; [email protected]; [email protected]). Digital Object Identifier 10.1109/TIFS.2019.2923577
Funding Information:
This work was supported in part by the U.S. Office of Naval Research under Grant N00014-15-1-2182 and Grant N00014-17-1-2006 and in part by Defense Advanced Research Projects Agency under Air Force Research Laboratory (AFRL) Contract FA8750-16- C-0179.
Publisher Copyright:
© 2005-2012 IEEE.
PY - 2020
Y1 - 2020
N2 - We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.
AB - We propose a novel methodology for real-time monitoring of software running on embedded processors in cyber-physical systems (CPS). The approach uses real-time monitoring of hardware performance counters (HPC) and applies to multi-threaded and interrupt-driven processes typical in programmable logic controller (PLC) implementation of real-time controllers. The methodology uses a black-box approach to profile the target process using HPCs. The time series of HPC measurements over a time window under known-good operating conditions is used to train a machine learning classifier. At run-time, this trained classifier classifies the time series of HPC measurements as baseline (i.e., probabilistically corresponding to a model learned from the training data) or anomalous. The baseline versus anomalous labels over successive time windows offer robustness against the stochastic variability of code execution on the embedded processor and detect code modifications. We demonstrate effectiveness of the approach on an embedded PLC in a hardware-in-the-loop (HITL) testbed emulating a benchmark industrial process. In addition, to illustrate the scalability of the approach, we also apply the methodology to a second PLC platform running a representative embedded control process.
KW - Anomaly detection
KW - cyber security
KW - malware
KW - programmable logic controller
KW - resilient control
UR - http://www.scopus.com/inward/record.url?scp=85072757553&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85072757553&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2019.2923577
DO - 10.1109/TIFS.2019.2923577
M3 - Article
AN - SCOPUS:85072757553
SN - 1556-6013
VL - 15
SP - 666
EP - 680
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
M1 - 8737990
ER -