Signal Processing for Trace-based Anomaly Detection in Embedded Software

Abstract

Embedded operating systems generate a log of operating system function calls which we refer to as traces. Trace-based anomaly detection deals with the problem of determining whether or not an instance of traces represents a normal execution scenario. Most current approaches focus on application areas outside of the embedded systems domain and thus do not take advantage of the intrinsic properties of this domain.

This work introduces Signal Processing for Trace Based Anomaly Detection (SiPTA): a novel technique for offline trace-based anomaly detection that utilizes the intrinsic feature of periodicity present in embedded systems. SiPTA uses discrete-time Fourier transform which is a crucial tool of signal processing theory as an underlying method. This Thesis describes a generic framework for mapping execution traces to channels and signals for further processing. The classification stage of SiPTA uses a comprehensive set of metrics. As this thesis demonstrates, SiPTA is particularly useful for embedded systems. More specifically, we will compare SiPTA with state-of-the-art approaches to trace-based anomaly detection based on the Markov Model and Neural Networks. This thesis also shows the technical feasibility and viability of SiPTA through multiple case studies using traces from a field-tested hexacopter, a mobile phone platform, and a car infotainment unit. In the experiments, our approach outperformed every other tested method.