Hardware-assisted Malware Detection for Securing Embedded Systems

Journal Title
Journal ISSN
Volume Title

In the era of Internet of Things (IoT), Malware has been proliferating exponentially over the past decade. Traditional Anti-Virus Software (AVS) is ineffective against modern complex Malware. In order to address this challenge, researchers have proposed hardware-assisted Malware detection using Hardware Performance Counters (HPCs). The HPCs are used to train a set of Machine learning (ML) classifiers, which are deployed as Hardware-assisted Malware Detectors (HMDs), and used to distinguish benign programs from Malware. Recently, adversarial attacks have been designed by introducing perturbations into HPC traces to misclassify a program for specific HPCs. The attacks function by inducing sleep and running dummy benign instructions to bolster the count of incurred HPCs. Furthermore, HPC-based techniques can suffer from a high false positive rate due to the similar executed instructions in both benign and malicious applications. Lastly, HPC-based detection can be infeasible in devices that do not possess HPCs or have limited profiling capabilities. This dissertation extends and explores various improvements to current HPC-based detection schemes in a multi-part operation. First, various different traditional ML classifiers are evaluated for HPC-based detection and this security is extended to automotive vehicles by securing an engine control unit from malicious attacks. Second, a Moving Target Defense (MTD) that dynamically changes the attack surface to jeopardize attackers’ endeavors, as well as Non-Differential HMDs (ND-HMDS), which use gradient free classifiers, is developed. Third, tailor-made HPCs, which sample assembly instructions from an application’s dynamic trace, are introduced as a solution for devices without HPCs in addition to providing better fine-grain precision for reducing false positives. Fourth, to further ameliorate the aforementioned problems, a Sequential Time Series-based Detection (SEQ-TSD) framework for identifying Malware is proposed that utilizes only a single HPC. Finally, an explainable HPC-based Malware technique that furnishes the location of the most malicious instruction is produced for providing human-readable results.

Computer Science, Engineering, Electronics and Electrical