research-article

Data mining the memory access stream to detect anomalous application behavior

Authors:

Francis B. Moreira,

Matthias Diener,

Philippe O. A. Navaux,

Israel KorenAuthors Info & Claims

CF'17: Proceedings of the Computing Frontiers Conference

Pages 45 - 52

https://doi.org/10.1145/3075564.3075578

Published: 15 May 2017 Publication History

Abstract

Detecting anomalous application executions is a challenging problem, due to the diversity of anomalies that can occur, such as programming bugs, silent data corruption, or even malicious code corruption. Moreover, the similarity to a regular execution that can occur in these cases, especially in silent data corruption, makes distinction from normal executions difficult. In this paper, we develop a mechanism that can detect such anomalous executions based on changes in the memory access pattern of an application. We analyze memory patterns using a two-level machine learning approach. First, we classify the behavior of different memory access periods within applications using Gaussian mixtures. Then, based on these classifications, we construct matrix representations of Markov chains to obtain information regarding the temporal behavior of these memory accesses. Based on metrics of matrix similarity, we can classify whether the application behaves as expected or anomalously. Using gradient boosting on the metrics of matrix similarity, our technique correctly classifies more than 85% of all executions, identifying instances of the same application and different applications. We can also detect a range of faulty executions caused by benign or malicious permanent bit flips in the code section.

References

[1]

Gogul Balakrishnan and Thomas Reps. 2004. Analyzing memory accesses in x86 executables. In International conference on compiler construction. 5--23.

[2]

Francieli Zanon Boito, Rodrigo Kassick, Philippe OA Navaux, and Yves Denneulin. 2015. Towards fast profiling of storage devices regarding access sequentiality. In Proceedings of the 30th Annual ACM Symposium on Applied Computing. ACM.

Digital Library

[3]

E. Borin, Cheng Wang, Youfeng Wu, and G. Araujo. 2006. Software-based transparent and comprehensive control-flow error detection. In International Symposium on Code Generation and Optimization (CGO'06). 13 pp.--.

Digital Library

[4]

Jerome H Friedman. 2001. Greedy function approximation: a gradient boosting machine. Annals of statistics (2001), 1189--1232.

[5]

Grigori Fursin, John Cavazos, Michael O'Boyle, and Olivier Temam. 2007. Midatasets: Creating the conditions for a more realistic evaluation of iterative optimization. In International Conference on High-Performance Embedded Architectures and Compilers. 245--260.

Digital Library

[6]

Crispin W Gardiner and others. 1985. Handbook of stochastic methods. Vol. 3. Springer Berlin.

[7]

Matthew R Guthaus, Jeffrey S Ringenberg, Dan Ernst, Todd M Austin, Trevor Mudge, and Richard B Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In IEEE International Workshop on Workload Characterization (WWC). 3--14.

Digital Library

[8]

Tanay Karnik and Peter Hazucha. 2004. Characterization of soft errors caused by single event upsets in CMOS processes. IEEE Transactions on Dependable and Secure Computing 1, 2 (2004), 128--143.

Digital Library

[9]

Rahul Khanna and Huaping Liu. 2006. System approach to intrusion detection using hidden markov model. In Proceedings of the 2006 international conference on Wireless communications and mobile computing. 349--354.

Digital Library

[10]

Thomas A Lasko, Jui G Bhagwat, Kelly H Zou, and Lucila Ohno-Machado. 2005. The use of receiver operating characteristic curves in biomedical informatics. Journal of biomedical informatics 38, 5 (2005), 404--415.

Digital Library

[11]

Richard P Lippmann, David J Fried, Isaac Graf, Joshua W Haines, Kristopher R Kendall, David McClung, Dan Weber, Seth E Webster, Dan Wyschogrod, Robert K Cunningham, and others. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In DARPA Information Survivability Conference and Exposition (DISCEX), Vol. 2. 12--26.

[12]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 190--200.

Digital Library

[13]

Sparsh Mittal. 2016. A Survey of Recent Prefetching Techniques for Processor Caches. ACM Comput. Surv (2016).

Digital Library

[14]

Shubhendu S Mukherjee, Christopher Weaver, Joel Emer, Steven K Reinhardt, and Todd Austin. 2003. A systematic methodology to compute the architectural vulnerability factors for a high-performance microprocessor. In IEEE/ACM International Symposium Microarchitecture (Micro). 29--40.

Digital Library

[15]

Nitin, I. Pomeranz, and T. N. Vijaykumar. 2015. FaultHound: Value-locality-based soft-fault tolerance. In 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA). 668--681.

Digital Library

[16]

Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In USENIX Security Symposium. 447--462.

Digital Library

[17]

J Thomas Pawlowski. 2011. Hybrid memory cube (HMC). In Hot Chips, Vol. 23.

[18]

Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, and others. 2011. Scikit-learn: Machine learning in Python. Journal of Machine Learning Research 12, Oct (2011), 2825--2830.

Digital Library

[19]

Carl Edward Rasmussen. 1999. The infinite Gaussian mixture model. In NIPS, Vol. 12. 554--560.

Digital Library

[20]

Francesco Regazzoni, Thomas Eisenbarth, Luca Breveglieri, Paolo Ienne, and Israel Koren. 2008. Can knowledge regarding the presence of countermeasures against fault attacks simplify power attacks on cryptographic devices?. In International Symposium on Defect and Fault Tolerance of VLSI Systems. 202--210.

Digital Library

[21]

George A Reis, Jonathan Chang, Neil Vachharajani, Ram Rangan, and David I August. 2005. SWIFT: Software implemented fault tolerance. In International Symposium on Code Generation and Optimization (CGO). 243--254.

Digital Library

[22]

Mark Russinovich. 2007. Inside the windows vista kernel: Part 3. Microsoft TechNet Magazine (2007).

[23]

Ralph Gregory Taylor. 1998. Models of computation and formal languages. (1998).

Digital Library

[24]

Doe Hyun Yoon and Mattan Erez. 2009. Memory mapped ECC: low-cost error protection for last level caches. In ACM SIGARCH Computer Architecture News, Vol. 37. ACM, 116--127.

Digital Library

Cited By

Ghosh SSahula VBhargava L(2023)Reinforcement Learning Based Prefetch-Control Mechanism2023 IEEE Asia Pacific Conference on Circuits and Systems (APCCAS)10.1109/APCCAS60141.2023.00035(110-114)Online publication date: 19-Nov-2023
https://doi.org/10.1109/APCCAS60141.2023.00035
Eris FLouis MEris KAbellán JJoshi A(2022)Puppeteer: A Random Forest Based Manager for Hardware Prefetchers Across the Memory HierarchyACM Transactions on Architecture and Code Optimization10.1145/357030420:1(1-25)Online publication date: 16-Dec-2022
https://dl.acm.org/doi/10.1145/3570304
Park JChoi B(2020)Automatic Method for Distinguishing Hardware and Software Faults Based on Software Execution Data and Hardware Performance CountersElectronics10.3390/electronics91118159:11(1815)Online publication date: 2-Nov-2020
https://doi.org/10.3390/electronics9111815
Show More Cited By

Index Terms

Data mining the memory access stream to detect anomalous application behavior

Recommendations

Classifying Memory Access Patterns for Prefetching
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

Prefetching is a well-studied technique for addressing the memory access stall time of contemporary microprocessors. However, despite a large body of related work, the memory access behavior of applications is not well understood, and it remains ...
An Analysis of Graph Neural Network Memory Access Patterns
SC-W '23: Proceedings of the SC '23 Workshops of The International Conference on High Performance Computing, Network, Storage, and Analysis

Graph Neural Networks (GNNs) are becoming increasingly popular for applying neural networks to graph data. However, as the size of the input graph increases, the GPU memory wall problem becomes an important issue. Since both current solutions to reduce ...
LOCATE: Locally Anomalous Behavior Change Detection in Behavior Information Sequence
Web and Big Data
Abstract
With the availability of diverse data reflecting people’s behavior, behavior analysis has been studied extensively. Detecting anom-alies can improve the monitoring and understanding of the objects’ (e.g., people’s) behavior. This work considers ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CF'17: Proceedings of the Computing Frontiers Conference

May 2017

450 pages

ISBN:9781450344876

DOI:10.1145/3075564

General Chair:
Roberto Giorgi
University of Siena, IT
,
Program Chairs:
Michela Becchi
North Carolina State University
,
Francesca Palumbo
University of Sassari, IT

Copyright © 2017 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGMICRO: ACM Special Interest Group on Microarchitectural Research and Processing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 May 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

CF '17

Sponsor:

SIGMICRO

CF '17: Computing Frontiers Conference

May 15 - 17, 2017

Siena, Italy

Acceptance Rates

CF'17 Paper Acceptance Rate 43 of 87 submissions, 49%;

Overall Acceptance Rate 273 of 785 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
114
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ghosh SSahula VBhargava L(2023)Reinforcement Learning Based Prefetch-Control Mechanism2023 IEEE Asia Pacific Conference on Circuits and Systems (APCCAS)10.1109/APCCAS60141.2023.00035(110-114)Online publication date: 19-Nov-2023
https://doi.org/10.1109/APCCAS60141.2023.00035
Eris FLouis MEris KAbellán JJoshi A(2022)Puppeteer: A Random Forest Based Manager for Hardware Prefetchers Across the Memory HierarchyACM Transactions on Architecture and Code Optimization10.1145/357030420:1(1-25)Online publication date: 16-Dec-2022
https://dl.acm.org/doi/10.1145/3570304
Park JChoi B(2020)Automatic Method for Distinguishing Hardware and Software Faults Based on Software Execution Data and Hardware Performance CountersElectronics10.3390/electronics91118159:11(1815)Online publication date: 2-Nov-2020
https://doi.org/10.3390/electronics9111815
Srivastava ALazaris ABrooks BKannan RPrasanna V(2019)Predicting memory accessesProceedings of the International Symposium on Memory Systems10.1145/3357526.3357549(461-470)Online publication date: 30-Sep-2019
https://dl.acm.org/doi/10.1145/3357526.3357549
Oliveira DMoreira FRech PNavaux P(2018)Predicting the Reliability Behavior of HPC Applications2018 30th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD)10.1109/CAHPC.2018.8645856(124-131)Online publication date: Sep-2018
https://doi.org/10.1109/CAHPC.2018.8645856

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents