|
CMU-CS-01-157
Computer Science Department
School of Computer Science, Carnegie Mellon University
CMU-CS-01-157
Anomaly Detection in Embedded Systems
Roy A. Maxion, Kymie M.C. Tan
October 2001
To appear in the IEEE Transactions on Computers, January 2002.
CMU-CS-01-157.ps
CMU-CS-01-157.pdf
Keywords: Anomaly, anomaly detection, coverage, dependability
By employing fault tolerance, embedded systems can withstand both
intentional and unintentional faults. Many fault-tolerance
mechanisms are invoked only after a fault has been detected by
whatever fault-detection mechanism is used, hence the process of
fault detection must itself be dependable if the system is expected
to be fault tolerant. Many faults are detectable only indirectly, as
a result of performance disorders that manifest as anomalies in
monitored system or sensor data. Anomaly detection, therefore, is
often the primary means of providing early indications of faults. As
with any other kind of detector, one seeks full coverage of the
detection space with the anomaly detector being used. Even if
coverage of a particular anomaly detector falls short of 100\%,
detectors can be composed to effect broader coverage, once their
respective sweet spots and blind regions are known. This paper
provides a framework and a fault-injection methodology for mapping an
anomaly detector's effective operating space, and shows that two
detectors, each designed to detect the same phenomenon, may not
perform similarly, even when the event to be detected is
unequivocally anomalous, and should be detected by either detector.
Both synthetic and real-world data are used.
34 pages
|