PESKEA: Anomaly Detection Framework for Profiling Kernel Event Attributes in Embedded Systems

In the software development life cycle, we use the execution traces of a given application to examine the behavior of the software when an error occurs or to monitor the software performance and compliance. However, this type of application trace analysis focuses on checking the performance of the software against its design goals. Conversely, the operating system (OS) sits between the application and the hardware, and traces logged from this layer capture the behavior of the embedded system and not just the application. Hence, an analysis of the kernel events captures the system-wide performance of the embedded system. Consequently, we present a feature-based anomaly detection framework called PESKEA, which exploits the statistical variance of the features in the execution traces of an embedded OS to perform trace classification, and subsequently, anomaly detection. We test PESKEA with two public datasets we refer to as Dataset I and Dataset II. On Dataset I, PESKEA results show a 3 to 6 percent improvement in the true positive rate (TPR) of Dataset I compared to the previous work tested on this dataset, and scores between 88.37 to 100 percent in Dataset II. We hope to test PESKEA on non-UAV embedded control application datasets in future work.