Method of resource-limited device and device class identification using system and function call tracing techniques, performance, and statistical analysis
First Claim
1. A method of device and device class classification, the method comprising:
- providing a known cyber physical system (CPS) device;
extracting, by an extracting device, using system and function call tracing techniques, system and function calls and parameters from the known CPS device;
extracting, by the extracting device using system and function call tracing techniques, system and function calls and parameters at different time intervals from the known CPS device;
calculating an autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device;
determining whether the autocorrelation value is greater than a threshold amount; and
storing in computer memory, the system and function calls and parameters of the known CPS device whose autocorrelation value is greater than the threshold amount in a database,the database being subdivided into classes of CPS devices.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods for cyber physical systems device classification are provided. A method can include receiving system and function calls and parameters and a device performance index from an unknown CPS device and a device performance index of similar class of CPS devices, calculating an autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device, determining whether the autocorrelation value is greater than a threshold amount, and storing the system and function calls and parameters and the device performance characteristics of the known CPS device in the database. A method can also include calculating a correlation between system and function calls and parameters of an unknown CPS device and known CPS devices classes included in the database, as well as determining whether the maximum correlation is also greater than a threshold amount.
22 Citations
20 Claims
-
1. A method of device and device class classification, the method comprising:
-
providing a known cyber physical system (CPS) device; extracting, by an extracting device, using system and function call tracing techniques, system and function calls and parameters from the known CPS device; extracting, by the extracting device using system and function call tracing techniques, system and function calls and parameters at different time intervals from the known CPS device; calculating an autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device; determining whether the autocorrelation value is greater than a threshold amount; and storing in computer memory, the system and function calls and parameters of the known CPS device whose autocorrelation value is greater than the threshold amount in a database, the database being subdivided into classes of CPS devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium comprising stored instructions thereon, the instructions when executed causing a processor to:
-
receive system and function calls and parameters from a known CPS device; receive device performance characteristics from the known CPS device; receive system and function calls and parameters at different time intervals from the known CPS device; receive device performance characteristics at different time intervals from the known device; calculate an autocorrelation value between different executions of the system and function calls and parameters of the known CPS device; determine whether the autocorrelation value is greater than a threshold amount; and store the system and function calls and parameters of the known CPS device whose autocorrelation value is greater than a threshold amount in a database, the database being subdivided into classes of CPS devices. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable storage medium comprising stored instructions thereon, the instructions when executed causing a processor to:
-
receive system and function calls and parameters from a known Cyber Physical Systems (CPS) device; receive characteristic parameters related to memory utilization, CPU utilization, and real time of application execution from the known CPS device; receive system and function calls and parameters from a known CPS device; receive characteristic parameters related to memory utilization, CPU utilization, and real time of application execution from the unknown CPS device; calculate an autocorrelation value between different realizations of the system and function calls and parameters of the known CPS device; determine whether the autocorrelation value is greater than 0.6; store the system and function calls and parameters of the known CPS device whose autocorrelation value is greater than 0.6 in a database, the database being subdivided into classes of CPS devices; receive system and function calls and parameters from an unknown CPS device; receive characteristic parameters related to memory utilization, CPU utilization, and real time of application execution from the known CPS device; receive from the database, system and function calls and parameters of each CPS device class; calculate a correlation value between the system and function calls and parameters of the unknown CPS device and the system and function calls and parameters of each CPS device class in the database; determine whether the correlation value is greater than 0.6; accept the unknown device whose maximum correlation value is also greater 0.6 in the database as a known CPS device; and store the system and function calls and parameters and the device performance characteristics of the unknown CPS device in the database.
-
Specification