Candidate: Reinier Torres Labrada
Title: Anomaly Detection in Embedded Real-Time Systems by Classification of Features from Event-Traces
Date: July 24, 2018
Time: 3:00 pm
Place: E5 5106-5128
Supervisor(s): Fischmeister, Sebastian
Abstract:
The main goal of anomaly detection is to identify artifacts that differ from the norm. In the embedded real-time systems realm, where timing correctness is a strong requirement, timing anomalies can be indicators of undesirable temporal behaviour. Timing anomalies (TA) arise due to undesirable or infrequent system behaviour lasting for some interval of time. Therefore, TAs are not necessarily linked to failures or unsafe conditions although they are of great importance because of their potential to indicate malfunctions.
We discover anomalies by classifying the inter-arrival times of event sequences extracted from time-stamped traces. The traces under analysis were generated by RTESs having recurrent event generators; e.g., processes or communication nodes running jobs periodically or sporadically. Our anomaly detection engine (named SiPTA) is capable of binary classification of time-stamped event traces. The method leverages the periodic or stationary nature of inter-arrival time series, signal processing and statistical analysis to identify anomalous behaviour in event traces. SiPTA targets anomalies that affect the power spectral density of inter-arrival time series, and it is insensitive to event order, making it suitable for anomaly detection in scenarios such as scheduled embedded system.
The classification of generator's signals is achieved by comparing the frequency domain features of an unknown trace to a normal model trained from well behaved executions of the system. Scores are assigned to each signal in the analysis trace which can help engineers isolate the source of the anomaly. SiPTA was tested on traces from a hexacopter running QNX, and CAN bus traces from a car subject to injection attacks. The results show that timing anomalies can be detected on more than one signal while anomaly detection rates range from perfect classification in CAN bus to more than 80% true detection for the other two metrics.