Data-driven anomaly detection with timing features for embedded systems

Sixing Lu, Roman Lysecky

Research output: Contribution to journalArticlepeer-review

12 Scopus citations


Malware is a serious threat to network-connected embedded systems, as evidenced by the continued and rapid growth of such devices, commonly referred to as the Internet of Things. Their ubiquitous use in critical applications require robust protection to ensure user safety and privacy. That protection must be applied to all system aspects, extending beyond protecting the network and external interfaces. Anomaly detection is one of the last lines of defence against malware, in which data-driven approaches that require the least domain knowledge are popular. However, embedded systems, particularly edge devices, face several challenges in applying data-driven anomaly detection, including unpredictability of malware, limited tolerance to long data collection windows, and limited computing/energy resources. In this article, we utilize subcomponent timing information of software execution, including intrinsic software execution, instruction cache misses, and data cache misses as features, to detect anomalies based on ranges, multi-dimensional Euclidean distance, and classification at runtime. Detection methods based on lumped timing range are also evaluated and compared. We design several hardware detectors implementing these data-driven detection methods, which non-intrusively measuring lumped/subcomponent timing of all system/function calls of the embedded application. We evaluate the area, power, and detection latency of the presented detector designs. Experimental results demonstrate that the subcomponent timing model provides sufficient features to achieve high detection accuracy with low false-positive rates using a one-class support vector machine, considering sophisticated mimicry malware.

Original languageEnglish (US)
Article number33
JournalACM Transactions on Design Automation of Electronic Systems
Issue number3
StatePublished - May 2019


  • Anomaly detection
  • Embedded system security
  • One-class SVM
  • Software security
  • Timing-based detection

ASJC Scopus subject areas

  • Computer Science Applications
  • Computer Graphics and Computer-Aided Design
  • Electrical and Electronic Engineering


Dive into the research topics of 'Data-driven anomaly detection with timing features for embedded systems'. Together they form a unique fingerprint.

Cite this