Early Detection of System-Level Anomalous Behaviour using Hardware Performance Counters Lai Leng Woo, Mark Zwolinski and Basel Halak Department of Electronics and Computer Science University of Southampton, Southampton, United Kingdom SO17 1BJ Email: L.L.Woo@soton.ac.uk Abstract—Embedded systems suffer from reliability issues such as variations in temperature and voltage, single event effects and component degradation, as well as being exposed to various security attacks such as control hijacking, malware, reverse engineering, eavesdropping and many others. Both reliability problems and security attacks can cause the system to behave anomalously. In this paper, we will present a detection technique that is able to detect a change in the system before the system encounters a failure, by using data from Hardware Performance Counters (HPCs). Previously, we have shown how HPC data can be used to create an execution profile of a system based on measured events and any deviation from this profile indicates an anomaly has occurred in the system. The first step in developing a detector is to analyse the HPC data and extract the features from the collected data to build a forecasting model. Anomalies are assumed to happen if the observed value falls outside a given confidence interval, which is calculated based on the forecast values and prediction confidence. The detector is designed to provide a warning to the user if anomalies that are detected occur consecutively for a certain number of times. We evaluate our detection algorithm on benchmarks that are affected by single bit flip faults. Our initial results show that the detection algorithm is suitable for use for this kind of univariate time series data and is able to correctly identify anomalous data from normal data. I. I NTRODUCTION The improvements in transistor size and integrated circuit performance has allowed the growth of embedded sensors where these sensors are becoming more affordable for daily usage. With the emergence of the Internet of Things (IoT), these sensors are now being connected together in a network where huge amounts of time series data are streamed, collected and shared. The sensors used in IoT are considered rather inexpensive and can be replaced easily, however, there is a seeming increase in concern in expecting these sensors to function in a safe, secure and reliable manner. The concerns for safety, reliability and security in embedded devices and systems have been studied for many years. Safety in embedded systems means reducing the frequency of failures whereas reliability means ensuring the system completes the task without experiencing any failure [1]. Security in the context of an IoT application is to ensure that malicious attackers do not gain control of any of the embedded devices or systems that could lead to disastrous consequences. Although care has been taken to ensure these systems and sensors function in a safe, secure and reliable manner, they are still exposed to various environmental conditions which may cause problems for the systems and sensors. For example, the sensors may be imperfect, a bit error may appear, or the nature of the physical processes may have some variations. Security attacks on IoT applications such eavesdropping, con- trol hijacking, malware and others also cause problems to IoT applications. The impact of these problems is anomalous behaviour in the system, which could lead to the device experiencing failure. Very often, users are aware of the anomalous behaviour only after a failure has occurred. One practical approach is to detect anomalies from a streaming real-time data. As described elsewhere, [2], we have used Hardware Performance Counters (HPCs) to monitor the behaviour of a system. HPCs are sets of special-purpose counters built into processors to record events precisely and accurately in real-time. A system that behaves normally (no error detected in the system) exhibits a profile, and any deviations from this profile indicate that there is an anomaly in the system. The research on anomaly detection in real-time streaming data is not something new, however, but we have yet to find research attempting to detect a change in the behaviour of the system using HPCs. This paper is the first attempt that focuses on early detection of anomalies (deviation from the normal patterns in the system) by utilising the real- time streaming HPCs that is available in the processor itself, and thus, no modification is required to the physical system. By creating a system that has some self-awareness capability and that is able to provide a warning to the user before a failure occurs, we aim to minimise or even avoid potential risk to the user. Overall, the main contributions of our work are as follows: • We develop the algorithm for early detection of system- level anomalous behaviour using HPCs; • We explore several anomaly detection methods that are applied in a case study; • We develop a new attribute called the detection time that evaluates the effectiveness of the early detection algorithm; and • Our results show that the algorithm can be used for early detection of system-level anomalous behaviour. This paper is organised as follows. Section II looks at anomaly detection in the context of real-time time-series data. Our proposed detection algorithm and experiment based on hardware performance counter are presented in Section III. In Section IV, we discuss the data we obtained from our 491 978-3-9819263-0-9/DATE18/ c 2018 EDAA