Time and sequence integrated runtime anomaly detection for embedded systems

Sixing Lu, Roman Lysecky

Research output: Contribution to journalArticlepeer-review

13 Scopus citations


Network-connected embedded systems grow on a large scale as a critical part of Internet of Things, and these systems are under the risk of increasing malware. Anomaly-based detection methods can detect malware in embedded systems effectively and provide the advantage of detecting zero-day exploits relative to signature-based detection methods, but existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this article, we present a formal runtime security model that defines the normal system behavior including execution sequence and execution timing. The anomaly detection method in this article utilizes on-chip hardware to non-intrusively monitor system execution through trace port of the processor and detect malicious activity at runtime. We further analyze the properties of the timing distribution for control flow events, and select subset of monitoring targets by three selection metrics to meet hardware constraint. The designed detection method is evaluated by a network-connected pacemaker benchmark prototyped in FPGA and simulated in SystemC, with several mimicry attacks implemented at different levels. The resulting detection rate and false positive rate considering constraints on the number of monitored events supported in the on-chip hardware demonstrate good performance of our approach.

Original languageEnglish (US)
Article number38
JournalACM Transactions on Embedded Computing Systems
Issue number2
StatePublished - Dec 2017


  • Anomaly detection
  • Embedded system security
  • Medical device security
  • Software security
  • Timing based detection

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture


Dive into the research topics of 'Time and sequence integrated runtime anomaly detection for embedded systems'. Together they form a unique fingerprint.

Cite this