Analysis of control flow events for timing-based runtime anomaly detection

Sixing Lu, Roman L Lysecky

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Scopus citations


Embedded system security has become a critical challenge given the increasing prevalence of network-connected systems. While anomaly-based detection methods provide the advantage of detecting zero-day exploits, existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this paper, we present a formal runtime security model that defines the normal system behavior. The runtime security model is applied to a timing-based, runtime anomaly detection method that utilizes on-chip hardware to non-intrusively monitor both the system execution sequence and execution timing to detect malicious activity. Monitoring all possible execution paths of an embedded application is infeasible due to its complexity. Thus, we analyze the properties of the timing distribution for control flow events within a network- connected pacemaker to evaluate the resulting detection rate for various levels of mimicry attacks, considering constraints on the number of monitored events supported in the on-chip hardware.

Original languageEnglish (US)
Title of host publicationProceedings of the 10th Workshop on Embedded Systems Security, WESS 2015
PublisherAssociation for Computing Machinery, Inc
ISBN (Electronic)9781450336673
StatePublished - Oct 4 2015
Event10th Workshop on Embedded Systems Security, WESS 2015 - Amsterdam, Netherlands
Duration: Oct 4 2015Oct 9 2015


Other10th Workshop on Embedded Systems Security, WESS 2015


  • Anomaly detection
  • Embedded system security
  • Network-connected pacemaker
  • Software security
  • Timing based detection

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture


Dive into the research topics of 'Analysis of control flow events for timing-based runtime anomaly detection'. Together they form a unique fingerprint.

Cite this