Anomalous Behavior Detection in Processor Based Systems

US Patent No: US 11,481,495 B2

Issued: October 25, 2022

USPTO Patent PDF | Google Patents

Security Areas: Securing Critical Infrastructure | Artificial Intelligence & Security

Abstract

A method, apparatus and system for anomaly detection in a processor based system includes training a deep learning sequence prediction model using observed baseline behavioral sequences of at least one processor behavior of the processor based system, predicting baseline behavioral sequences from the observed baseline behavioral sequences using the sequence prediction model, determining a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predicting test behavioral sequences from observed, test behavioral sequences using the sequence prediction model, determining a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences, and comparing the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

  • Embodiments of methods, apparatuses and systems for detection of anomalous behavior in cyber-physical systems are disclosed herein.

    In some embodiments in accordance with the present principles, a method for anomaly detection in a processor based system includes training a deep learning sequence prediction model using observed baseline behavioral sequences of at least one processor behavior of the processor based system, predicting baseline behavioral sequences from the observed baseline behavioral sequences using the sequence prediction model, determining a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predicting test behavioral sequences from observed, test behavioral sequences using the sequence prediction model, determining a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences, and comparing the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

    In some embodiments the method can further include determining if a shift exists between the baseline reconstruction error distribution profile and the testing reconstruction error distribution profile to determine that an anomaly exists in a processor behavior of the processor based system and alerting a user of the processor based system to the existence of an anomaly in the processor based system.

    In some embodiments, an apparatus in a processor based system for anomaly detection includes a sequence generator module to train a deep learning sequence prediction model using baseline behavioral sequences of at least one processor behavior of the processor based system observed by at least one sensor, predict baseline behavioral sequences from the observed baseline behavioral sequences using the sequence prediction model, determine a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predict test behavioral sequences from test behavioral sequences observed by the at least one sensor using the sequence prediction model, and determine a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences. The apparatus can further include a sequence analysis module to compare the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

    In some embodiments, a processor based system for anomaly detection includes at least one sensor observing processor functionality of a processor of the processor based system and a computing platform. In some embodiments, the computing platform includes at least one processor and a memory coupled to the processor, the memory having stored therein at least one of programs or instructions executable by the at least one processor to configure the computing platform to train a deep learning sequence prediction model using baseline behavioral sequences of the at least one processor observed by the at least one sensor, predict baseline behavioral sequences from the observed baseline behavioral sequences using the sequence prediction model, determine a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predict test behavioral sequences from test behavioral sequences observed by the at least one sensor using the sequence prediction model, determine a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences, and compare the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

    In some embodiments, a non-transitory computer-readable medium has stored thereon at least one program, the at least one program including instructions which, when executed by a processor, cause the processor to perform a method in a processor based system for anomaly detection, which includes training a deep learning sequence prediction model using observed baseline behavioral sequences of at least one processor behavior of the processor based system, predicting baseline behavioral sequences from the observed baseline behavioral sequences using the sequence prediction model, determining a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predicting test behavioral sequences from observed, test behavioral sequences using the sequence prediction model, determining a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences, and comparing the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

    In some embodiments in accordance with the present principles, a method for anomaly detection in a processor based system includes predicting baseline behavioral sequences from observed baseline behavioral sequences using a deep learning sequence prediction model, the deep learning sequence prediction model trained using observed baseline behavioral sequences of at least one processor of the processor based system, determining a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predicting test behavioral sequences from observed, test behavioral sequences using the sequence prediction model, determining a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences, and comparing the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

    In some embodiments the method can further include training the deep learning sequence prediction model using the observed baseline behavioral sequences of at least one processor behavior of the processor based system.

    In some embodiments the method can further include determining if a shift exists between the baseline reconstruction error distribution profile and the testing reconstruction error distribution profile to determine that an anomaly exists in a processor behavior of the processor based system and alerting a user of the processor based system to the existence of an anomaly in the processor based system.

    In some embodiments, an apparatus in a processor based system for anomaly detection includes a sequence generator module to predict baseline behavioral sequences from observed baseline behavioral sequences using a deep learning sequence prediction model, the deep learning sequence prediction model trained using observed baseline behavioral sequences of at least one processor of the processor based system, determine a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predict test behavioral sequences from test behavioral sequences observed by the at least one sensor using the sequence prediction model, and determine a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences. The apparatus can further include a sequence analysis module to compare the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

    In some embodiments, the apparatus is further configured to train the deep learning sequence prediction model using the baseline behavioral sequences of at least one processor behavior of the processor based system observed by the at least one sensor.

    In some embodiments, a processor based system for anomaly detection includes at least one sensor observing processor functionality of a processor of the processor based system and a computing platform. In some embodiments, the computing platform includes at least one processor and a memory coupled to the processor, the memory having stored therein at least one of programs or instructions executable by the at least one processor to configure the computing platform to train a deep learning sequence prediction model using baseline behavioral sequences of the at least one processor observed by the at least one sensor, predict baseline behavioral sequences from the observed baseline behavioral sequences using the sequence prediction model, determine a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predict test behavioral sequences from test behavioral sequences observed by the at least one sensor using the sequence prediction model, determine a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences, and compare the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

    In some embodiments, a non-transitory computer-readable medium has stored thereon at least one program, the at least one program including instructions which, when executed by a processor, cause the processor to perform a method in a processor based system for anomaly detection, which includes predicting baseline behavioral sequences from observed baseline behavioral sequences using a deep learning sequence prediction model, the deep learning sequence prediction model trained using observed baseline behavioral sequences of at least one processor of the processor based system, determining a baseline reconstruction error distribution profile using the baseline behavioral sequences and the predicted baseline behavioral sequences, predicting test behavioral sequences from observed, test behavioral sequences using the sequence prediction model, determining a testing reconstruction error distribution profile using the observed test behavioral sequences and the predicted test behavioral sequences, and comparing the baseline reconstruction error distribution profile to the testing reconstruction error distribution profile to determine if an anomaly exists in a processor behavior of the processor based system.

    Other and further embodiments in accordance with the present principles are described below.