Hierarchical Attention-Based Anomaly Detection Model for Embedded Operating Systems

Real-time embedded system applications have become pervasive, and with the increasing reliance on automated systems for both critical and non-critical tasks, the trend is set to continue. This growing reliance on real-time embedded systems, as well as the rise in the complexity of these systems, demands an efficient monitoring tool that takes the complex interactions in the system into consideration. These systems are well-specified, and there exists standard error or fault detection mechanism to detect when an anomaly occurs in the applications controlling the operation. Nonetheless, these anomaly detection mechanisms gather information about the behavior of the software against its intended goals through the use of plausibility checks which rely on a priori knowledge of the application behavior. This kind of test raises two issues: (1) there should be a complete characterization of the software to derive the redundant information needed for plausibility checks, (2) this test focuses mainly on detecting errors/faults/anomalies in a single application with no regard to other entities in the integrated system. On the other hand, an embedded real-time system (fitted with an operating system) usually has the operating system and the integrated application statically linked to produce a single executable image. This bespoke nature of the embedded real-time system design means that the kernel traces reflect the behavior of the application and the associated hardware components at every point in time. Consequently, detecting deviations in the kernel trace invariably imply system-wide anomaly detection in the associated application and hardware. Thus, this paper targets anomaly not just in the application layer, but also in other layers that make up the real-time embedded system. Therefore, we introduce a hierarchical attention-based anomaly detection (HAbAD) model based on stacked Long Short-Term Memory (LSTM) Networks with Attention. It is a closed-world prediction-classification model which uses the reconstruction error from a non-parametric kernel density estimator to detect when an anomaly has occurred. We show the effectiveness of this approach using publicly available dataset, and the results confirm that this is a robust means of detecting anomalies in real-time embedded systems.