SiPTA: Signal Processing for Trace-based Anomaly Detection

Given a set of historic good traces, trace-based anomaly detection deals with the problem of determining whether or not a specific trace represents a normal execution scenario. Most current approaches mainly focus on application areas outside of the embedded systems domain and thus do not take advantage of the intrinsic properties of this domain. This work introduces SiPTA, a novel technique for offline trace-based anomaly detection that utilizes the intrinsic feature of periodicity found in embedded systems. SiPTA uses signal processing as the underlying processing algorithm. The paper describes a generic framework for mapping execution traces to channels and signals for further processing. The classification stage of SiPTA uses a comprehensive set of metrics adapted from standard signal processing. The system is particularly useful for embedded systems, and the paper demonstrates this by comparing SiPTA with state-of-the-art approaches based on Markov Model and Neural Networks. The paper shows the technical feasibility and viability of SiPTA through multiple case studies using traces from a field-tested hexacopter, a mobile phone platform, and a car infotainment unit. In the experiments, our approach outperformed every other tested method.