Anomaly Detection in Embedded Systems

By employing fault tolerance, embedded systems can withstand both intentional and unintentional faults. Many fault tolerance mechanisms are invoked only after a fault has been detected by whatever fault-detection mechanism is used; hence, the process of fault detection must itself be dependable if the system is expected to be fault-tolerant. Many faults are detectable only indirectly as a result of performance disorders that manifest as anomalies in monitored system or sensor data. Anomaly detection, therefore, is often the primary means of providing early indications of faults. As with any other kind of detector, one seeks full coverage of the detection space with the anomaly detector being used. Even if coverage of a particular anomaly detector falls short of 100%, detectors can be composed to effect broader coverage, once their respective sweet spots and blind regions are known. This paper provides a framework and a fault-injection methodology for mapping an anomaly detector's effective operating space and shows that two detectors, each designed to detect the same phenomenon, may not perform similarly, even when the event to be detected is unequivocally anomalous and should be detected by either detector. Both synthetic and real-world data are used.

[1]  Stephen Cass Little Linuxes , 2001 .

[2]  Somesh Jha,et al.  Markov chains, classifiers, and intrusion detection , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[3]  Hermann Kopetz,et al.  Fault tolerance, principles and practice , 1990 .

[4]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .

[5]  Beth A. Schroeder On-Line Monitoring: A Tutorial , 1995, Computer.

[6]  Dhiraj K. Pradhan,et al.  Fault Injection: A Method for Validating Computer-System Dependability , 1995, Computer.

[7]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  David R. Cox,et al.  The Theory of Stochastic Processes , 1967, The Mathematical Gazette.

[9]  Thomas F. Arnold,et al.  The Concept of Coverage and Its Effect on the Reliability Model of a Repairable System , 1973, IEEE Transactions on Computers.

[10]  Brian Randell,et al.  System structure for software fault tolerance , 1975, IEEE Transactions on Software Engineering.

[11]  Michael Francis Buckley Computer event monitoring and analysis , 1992 .

[12]  S S Stevens,et al.  On the Theory of Scales of Measurement. , 1946, Science.

[13]  Frank Feather,et al.  A case study of Ethernet anomalies in a distributed computing environment , 1990 .

[14]  H. D. Miller,et al.  The Theory Of Stochastic Processes , 1977, The Mathematical Gazette.

[15]  P. A. Bennett Fault Tolerance: Principles and Practice , 1982 .

[16]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[17]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[18]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[19]  Kymie M. C. Tan,et al.  Benchmarking anomaly-based detection systems , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[20]  Jonathan D. Cryer,et al.  Time Series Analysis , 1986 .