Real-Time Anomalous Branch Behavior Inference with a GPU-inspired Engine for Machine Learning Models
Hyunyoung Oh1,a, Hayoon Yi1,b, Hyeokjun Choe1,c, Yeongpil Cho2, Sungroh Yoon1,d and Yunheung Paek1,e
1ECE and ISRC, Seoul National University
ahyoh@sor.snu.ac.kr
bhyyi@sor.snu.ac.kr
cgenesis1104@snu.ac.kr
dsryoon@snu.ac.kr
eypaek@snu.ac.kr
2Soongsil University
ypcho@ssu.ac.kr
ABSTRACT
Attacks on embedded devices are likely to occur any time in unexpected manners. Thus, the defense systems based on fixed sets of rules will easily be subverted by such unexpected, unknown attacks. Learning-based anomaly detection may potentially prevent new unknown zero-day attacks by leveraging the capability of machine learning (ML) to learn the intricate true nature of software hidden within raw information. This paper introduces our work to develop an MPSoC, called RTAD, which can efficiently support in hardware various ML models that run to detect anomalous behaviors on embedded devices in a real-time fashion, and thus enable the devices to counteract the anomalies in the field. In the IoT era, the importance of security for embedded devices cannot be exaggerated because they will become an enticing target for adversaries as they are being integrated into everyday life to provide users with various services. The above-mentioned potential of learningbased detection is believed to benefit those deployed devices under attacks occurring any time during their field operations in unexpected manners. We hereby assume that ML models are trained with runtime branch information as their data features since a sequence of branches serves as a record of control flow transfers during program execution. In fact, there have been numerous ML studies that examine various types of branches in order to infer (or detect) anomaly in branch behaviors that may be induced by diverse attacks that can cause deviant control flow in software. Our goal of real-time anomalous branch behavior inference poses two challenges to our development of RTAD. Firstly, RTAD must collect and transfer in a timely fashion a sequence of branches as the input to the ML model. Secondly, RTAD must be able to promptly process the delivered branch data with the ML model. To tackle these challenges, we have implemented in RTAD two core components: an input generation module and a GPU-inspired ML processing engine. According to our experiments, RTAD enables various ML models to infer anomaly instantly after the victim program behaves aberrantly as the result of attacks being injected into the system.
Keywords: Anomaly detection, Machine learning, Embedded system, Runtime security.
