Anomaly detection in Cyber-Physical Systems based on Hardware Performance Counters

Kristian, Alexander

January 2023

In this project work the basis for an anomaly detection system in ARM processors was researched on. Specifically, the focus was set to determine the performance monitoring units (PMU) in the processor which allow the reliable detection of anomalies. This was achieved by injecting targeted faults on the assembly level into the binary file to represent attacks on a physical level in a consistent way. A set of three PMUs was determined to reach a detection rate of 56.67% to 66.67% (depending on the test scenario) in the selected scenarios. However, the expected detection rate is higher for real-world attacks, due to the broad nature of the executed tests. In addition, it was observed that the readout frequency of these PMUs is critical, and in general, it is advisable to expose the values after each function call, or in the case of security-sensitive sections, multiple times within functions.

ARM

anomaly detection

CPS

assembly

Computer Systems

Datorsystem

Design and Implementation of Parallel Anomaly Detection

Shanbhag, Shashank

01 January 2007

The main objective of the thesis is to show that multiple anomaly detection algorithms can be implemented in parallel to effectively characterize the type of traffic causing the abnormal behavior. The logs are obtained by running six anomaly detection algorithms in parallel on the Network Processor. Further, a hierarchical tree representation is defined which illustrates the state of traffic in real-time. The nodes represent a particular subset of traffic and each of the nodes calculate the aggregate for the traffic represented by the node, given the output from all the algorithms. The greater the aggregate, the darker the node indicating an anomaly. The visual representation makes it easy for an operator to distinguish between anomalous and non-anomalous nodes.

anomaly

anomaly detection

parallel

detection

multiple

algorithms

Computer science

Application of anomaly detection techniques to astrophysical transients

Ramonyai, Malema Hendrick

January 2021

>Magister Scientiae - MSc / We are fast moving into an era where data will be the primary driving factor for discovering new unknown astronomical objects and also improving our understanding of the current rare astronomical objects. Wide field survey telescopes such as the Square Kilometer Array (SKA) and Vera C. Rubin observatory will be producing enormous amounts of data over short timescales. The Rubin observatory is expected to record ∼ 15 terabytes of data every night during its ten-year Legacy Survey of Space and Time (LSST), while the SKA will collect ∼100 petabytes of data per day. Fast, automated, and datadriven techniques, such as machine learning, are required to search for anomalies in these enormous datasets, as traditional techniques such as manual inspection will take months to fully exploit such datasets.

Astronomy

Data

Square Kilometer Array (SKA)

Rubin observatory

Anomaly detection

Detection of Similarly-structured Anomalous sets of nodes in Graphs

Sharma, Nikita

04 October 2021

No description available.

Computer Science

Anomaly Detection

Biclustering

TRIMAX Biclustering

Graph attributes

Adversarial Learning based framework for Anomaly Detection in the context of Unmanned Aerial Systems

Bhaskar, Sandhya

18 June 2020

Anomaly detection aims to identify the data samples that do not conform to a known normal (regular) behavior. As the definition of an anomaly is often ambiguous, unsupervised and semi-supervised deep learning (DL) algorithms that primarily use unlabeled datasets to model normal (regular) behaviors, are popularly studied in this context. The unmanned aerial system (UAS) can use contextual anomaly detection algorithms to identify interesting objects of concern in applications like search and rescue, disaster management, public security etc. This thesis presents a novel multi-stage framework that supports detection of frames with unknown anomalies, localization of anomalies in the detected frames, and validation of detected frames for incremental semi-supervised learning, with the help of a human operator. The proposed architecture is tested on two new datasets collected for a UAV-based system. In order to detect and localize anomalies, it is important to both model the normal data distribution accurately as well as formulate powerful discriminant (anomaly scoring) techniques. We implement a generative adversarial network (GAN)-based anomaly detection architecture to study the effect of loss terms and regularization on the modeling of normal (regular) data and arrive at the most effective anomaly scoring method for the given application. Following this, we use incremental semi-supervised learning techniques that utilize a small set of labeled data (obtained through validation from a human operator), with large unlabeled datasets to improve the knowledge-base of the anomaly detection system. / Master of Science / Anomaly detection aims to identify the data samples that do not conform to a known normal (regular) behavior. As the definition of an anomaly is often ambiguous, most techniques use unlabeled datasets, to model normal (regular) behaviors. The availability of large unlabeled datasets combined with novel applications in various domains, has led to an increasing interest in the study of anomaly detection. In particular, the unmanned aerial system (UAS) can use contextual anomaly detection algorithms to identify interesting objects of concern in applications like search and rescue (SAR), disaster management, public security etc. This thesis presents a novel multi-stage framework that supports detection and localization of unknown anomalies, as well as the validation of detected anomalies, for incremental learning, with the help of a human operator. The proposed architecture is tested on two new datasets collected for a UAV-based system. In order to detect and localize anomalies, it is important to both model the normal data distribution accurately and formulate powerful discriminant (anomaly scoring) techniques. To this end, we study the state-of-the-art generative adversarial networks (GAN)-based anomaly detection algorithms for modeling of normal (regular) behavior and formulate effective anomaly detection scores. We also propose techniques to incrementally learn the new normal data as well as anomalies, using the validation provided by a human operator. This framework is introduced with the aim to support temporally critical applications that involve human search and rescue, particularly in disaster management.

Moving camera

Anomaly Detection

Adversarial Learning

Unmanned Aerial Systems (UAS)

Anomaly detection in competitive multiplayer games

Greige, Laura

05 November 2022

As online video games rise in popularity, there has been a significant increase in fraudulent behavior and malicious activity. Numerous methods have been proposed to automate the identification and detection of such behaviors but most studies focused on situations with perfect prior knowledge of the gaming environment, particularly, in regards to the malicious behaviour being identified. This assumption is often too strong and generally false when it comes to real-world scenarios. For these reasons, it is useful to consider the case of incomplete information and combine techniques from machine learning and solution concepts from game theory that are better suited to tackle such settings, and automate the detection of anomalous behaviors. In this thesis, we focus on two major threats in competitive multiplayer games: intrusion and device compromises, and cheating and exploitation. The former is a knowledge-based anomaly detection, focused on understanding the technology and strategy being used by the attacker in order to prevent it from occurring. One of the major security concerns in cyber-security are Advanced Persistent Threats (APT). APTs are stealthy and constant computer hacking processes which can compromise systems bypassing traditional security measures in order to gain access to confidential information held in those systems. In online video games, most APT attacks leverage phishing and target individuals with fake game updates or email scams to gain initial access and steal user data, including but not limited to account credentials and credit card numbers. In our work, we examine the two player game called FlipIt to model covert compromises and stealthy hacking processes in partial observable settings, and show the efficiency of game theory concept solutions and deep reinforcement learning techniques to improve learning and detection in the context of fraud prevention. The latter defines a behavioral-based anomaly detection. Cheating in online games comes with many consequences for both players and companies; hence, cheating detection and prevention is an important part of developing a commercial online game. However, the task of manually identifying cheaters from the player population is unfeasible to game designers due to the sheer size of the player population and lack of test datasets. In our work, we present a novel approach to detecting cheating in competitive multiplayer games using tools from hybrid intelligence and unsupervised learning, and give proof-of-concept experimental results on real-world datasets.

Computer science

Anomaly detection

Machine learning

Multiplayer games

Observability of the Scattering Cross-section for Strong and Weak Scattering

Fayard, Patrick

09 1900

<p> Jakeman's random walk model with step number fluctuations describes the amplitude scattered from a rough medium in terms as the coherent summation of (independent) individual scatterers' contributions. For a population following a birthdeath- immigration (BDI) model, the resulting statistics are k-distributed and the multiplicative representation of the amplitude as a Gaussian speckle modulated by a Gamma radar cross-section (RCS) is recovered. The main objective of the present thesis is to discuss techniques for the inference of the RCS in local time in order to facilitate anomaly detection. We first show how the Pearson class of diffusions, which we derive on the basis of a discrete population model analogous to the BDI, encompasses this Gamma texture as well as other texture models studied in the literature. Next we recall how Field & Tough derived, in an Ito calculus framework, the dynamics and the auto-correlation function of the scattered amplitude from the random walk model. In particular, they showed how the RCS was observable through the intensity-weighted squared fluctuations of the phase. Thanks to a discussion of the sources of discrepancy arising during this process, we derive an analytical expression for the inference error based on its asymptotic behaviours, together with a condition to minimize it. Our results are then extended to the Pearson class of diffusions whose importance for radar clutters is described. Next, we consider an experimental caveat, namely the presence of an additional white noise. The finite impulse response Wiener filter enables the design of the optimal filter to retrieve the scattered amplitude when it lies in superposition with thermal noise, thus enabling the usage of our inference technique. Finally, we consider weak scattering when a coherent signal lies in superposition with the aforementioned (strongly) scattered amplitude. Strong and weak scattering patterns differ regarding the correlation structure of their radial and angular fluctuations. Investigating these geometric characteristics yields two distinct procedures to infer the scattering cross-section from the phase and intensity fluctuations of the weakly scattered amplitude, thus generalizing the results obtained in the strong scattering case. </p> / Thesis / Doctor of Philosophy (PhD)

sacttering

coherent summation

birth-death-immigration

anomaly detection

Unsupervised Anomaly Detection and Explainability for Ladok Logs

Edholm, Mimmi

January 2023

Anomaly detection is the process of finding outliers in data. This report will explore the use of unsupervised machine learning for anomaly detection as well as the importance of explaining the decision making of the model. The project focuses on identifying anomalous behaviour in Ladok data from their frontend access logs, with emphasis on security issues, specifically attempted intrusion. This is done by implementing an anomaly detection model which consists of a stacked autoencoder and k-means clustering as well as examining the data using only k-means. In order to attempt to explain the decision making progress, SHAP is used. SHAP is a explainability model that measure the feature importance. The report will include an overview of the necessary theory of machine learning, anomaly detection and explainability, the implementation of the model as well as examine how to explain the process of the decision making in a black box model. Further, the results are presented and a discussion is held about how the models have performed on the data. Lastly, the report concludes whether the chosen approach has been appropriate and proposes how the work could be improved in future work. The study concludes that the results from this approach was not the desired outcome, and might therefore not be the most suitable.

machine learing

anomaly detection

ml

Computer Sciences

Datavetenskap (datalogi)

Combining Static Analysis and Dynamic Learning to Build Context Sensitive Models of Program Behavior

Liu, Zhen

10 December 2005

This dissertation describes a family of models of program behavior, the Hybrid Push Down Automata (HPDA) that can be acquired using a combination of static analysis and dynamic learning in order to take advantage of the strengths of both. Static analysis is used to acquire a base model of all behavior defined in the binary source code. Dynamic learning from audit data is used to supplement the base model to provide a model that exactly follows the definition in the executable but that includes legal behavior determined at runtime. Our model is similar to the VPStatic model proposed by Feng, Giffin, et al., but with different assumptions and organization. Return address information extracted from the program call stack and system call information are used to build the model. Dynamic learning alone or a combination of static analysis and dynamic learning can be used to acquire the model. We have shown that a new dynamic learning algorithm based on the assumption of a single entry point and exit point for each function can yield models of increased generality and can help reduce the false positive rate. Previous approaches based on static analysis typically work only with statically linked programs. We have developed a new component-based model and learning algorithm that builds separate models for dynamic libraries used in a program allowing the models to be shared by different program models. Sharing of models reduces memory usage when several programs are monitored, promotes reuse of library models, and simplifies model maintenance when the system updates dynamic libraries. Experiments demonstrate that the prototype detection system built with the HPDA approach has a performance overhead of less than 6% and can be used with complex real-world applications. When compared to other detection systems based on analysis of operating system calls, the HPDA approach is shown to converge faster during learning, to detect attacks that escape other detection systems, and to have a lower false positive rate.

Intrusion detection

anomaly detection

computer security

information assurance

automata model

Unsupervised Anomaly Detection in Numerical Datasets

Joshi, Vineet

05 June 2015

No description available.

Computer Science

Data Mining

Anomaly Detection

Outlier Detection

Subspaces