Evaluating Convolutional Autoencoders for Anomaly Detection on Space-Filling Curve-Transformed Control Flow Data
Article
Gangwani, P, Perez-Pons, A, Alvarez, G et al. (2026). Evaluating Convolutional Autoencoders for Anomaly Detection on Space-Filling Curve-Transformed Control Flow Data
. IEEE Access, 14 4292-4304. 10.1109/ACCESS.2026.3651178
Gangwani, P, Perez-Pons, A, Alvarez, G et al. (2026). Evaluating Convolutional Autoencoders for Anomaly Detection on Space-Filling Curve-Transformed Control Flow Data
. IEEE Access, 14 4292-4304. 10.1109/ACCESS.2026.3651178
Gangwani, P; Perez-Pons, A; Alvarez, G; De La Cruz, S
Gangwani, Pranav; Perez-Pons, Alexander; Alvarez, Gabriel; De La Cruz, Sebastian
abstract
Microcontrollers are increasingly targeted by cyber threats, requiring robust and adaptive security mechanisms. This work presents a novel anomaly detection pipeline that transforms microcontroller program control-flow data into Hilbert space-filling curve images, leveraging Convolutional Autoencoders (CAEs) to detect threats. We test this method against two distinct cyberattack scenarios: (1) a function-level attack (a Kalman filter application injected with malicious functions) and (2) a subtle, instruction-level attack (a CRC32 application injected with a single malicious instruction in a benign loop). Our models, trained exclusively on benign program traces, achieved exceptional results. The deep CAE model (M2a) successfully detected the large-scale Kalman attack with a 99.3% F1-Score and, more significantly, the minimal-footprint CRC32 attack with a 99.7% F1-Score. These results are then benchmarked against traditional models (One-class SVM, Isolation Forest, LOF), which performed poorly on the first attack (F1-Scores < 0.74) and failed completely on the second (F1-Scores < 0.61). This demonstrates that our methodology is highly sensitive, capable of identifying not only overt malicious code but also the subtle, instruction-level changes characteristic of sophisticated attacks that raw-trace analysis misses, and demonstrating the feasibility of this method for improving embedded system security, paving the way for further advancements in intelligent threat detection.
