Hardware-assisted Malware Detection for Securing Embedded Systems
In the era of Internet of Things (IoT), Malware has been proliferating exponentially over the past decade. Traditional Anti-Virus Software (AVS) is ineffective against modern complex Malware. In order to address this challenge, researchers have proposed hardware-assisted Malware detection using Hardware Performance Counters (HPCs). The HPCs are used to train a set of Machine learning (ML) classifiers, which are deployed as Hardware-assisted Malware Detectors (HMDs), and used to distinguish benign programs from Malware. Recently, adversarial attacks have been designed by introducing perturbations into HPC traces to misclassify a program for specific HPCs. The attacks function by inducing sleep and running dummy benign instructions to bolster the count of incurred HPCs. Furthermore, HPC-based techniques can suffer from a high false positive rate due to the similar executed instructions in both benign and malicious applications. Lastly, HPC-based detection can be infeasible in devices that do not possess HPCs or have limited profiling capabilities. This dissertation extends and explores various improvements to current HPC-based detection schemes in a multi-part operation. First, various different traditional ML classifiers are evaluated for HPC-based detection and this security is extended to automotive vehicles by securing an engine control unit from malicious attacks. Second, a Moving Target Defense (MTD) that dynamically changes the attack surface to jeopardize attackers’ endeavors, as well as Non-Differential HMDs (ND-HMDS), which use gradient free classifiers, is developed. Third, tailor-made HPCs, which sample assembly instructions from an application’s dynamic trace, are introduced as a solution for devices without HPCs in addition to providing better fine-grain precision for reducing false positives. Fourth, to further ameliorate the aforementioned problems, a Sequential Time Series-based Detection (SEQ-TSD) framework for identifying Malware is proposed that utilizes only a single HPC. Finally, an explainable HPC-based Malware technique that furnishes the location of the most malicious instruction is produced for providing human-readable results.