Nothing Special   »   [go: up one dir, main page]

Skip to main content
Log in

Improving accuracy of HPC-based malware classification for embedded platforms using gradient descent optimization

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Malware detection is still one of the difficult problems in computer security because of the daily occurrences of newer varieties of malware programs. There have been enormous efforts in developing a generalized solution to this critical security aspect, but a little has been done considering the security of resource constraint embedded devices. In this paper, we attempt to develop a lightweight malware detection tool explicitly designed for embedded platforms using micro-architectural side-channel information obtained through Hardware Performance Counters (HPCs) and high-level programs representing Operating System (OS) resources. The methodology uses statistical hypothesis testing, in the form of t-test, to develop a metric, called \(\lambda \), which indicates a conceptual boundary between the programs which are allowed to run on a given embedded platform, with the codes that are suspected as malwares. The metric is computed based on the observations obtained from carefully chosen features, which are tuples of high-level programs representing OS resources along with low-level HPCs. An ideal \(\lambda \)-value for a malicious program is 1, as opposed to 0 for a benign application. However, in reality, the efficacy of \(\lambda \) to classify a program as malware or benign largely depends on the proper assignment of weights to the tuples. We employ a gradient-descent-based learning mechanism to determine optimal choices for these weights. We present detailed experimental results on an embedded Linux running on an ARM processor which validates that the proposed lightweight side-channel-based learning mechanism improves the classification accuracy significantly compared to an ad-hoc selection of weights leading to significantly low false positives and false negatives in all our test cases.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. Signature-based antivirus software monitors store many “features” of known malware in the definition file. Most features are designed by humans, but there are some that do not make sense by themselves, like having a null byte at the end of the file or a ratio between file size and printable text size. Those nonsensical or unintuitive features are randomly generated and tested by analyzing vast quantities of files. In the end, the signature of a file is described and classified by the combination of these well-tested features

  2. Popular open-source malware databases like VirusShare [22] and OpenMalware [23] use MD5 as hash signatures.

  3. It provides optimum results for data used in trained, but results in poor performance for unseen data.

  4. The sensitivity matrix for which the total error in calculating \(\lambda \) is minimum.

  5. The %CPU Usage and %MEM Usage signifies the share of elapsed CPU time and available physical memory respectively calculated per second.

References

  1. Das, S., Liu, Y., Zhang, W., Chandramohan, M.: Semantics-based online malware detection: towards efficient real-time protection against malware. IEEE Trans. Inf. For. Secur. 11(2), 289–302 (2016)

    Article  Google Scholar 

  2. Chandramohan, M., Tan, H. B. K., Briand, L.C., Shar, L.K., Padmanabhuni, B. M.: A scalable approach for malware detection through bounded feature space behavior modeling. In: 2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013, Silicon Valley, CA, USA, November 11–15, 2013, pp. 312–322, (2013)

  3. Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secure Comput. 7(4), 381–395 (2010)

    Article  Google Scholar 

  4. Bhattacharya, S., Mukhopadhyay, D.: Who watches the watchmen?: Utilizing performance monitors for compromising keys of RSA on intel platforms. In: Cryptographic Hardware and Embedded Systems–CHES 2015–17th International Workshop, Saint-Malo, France, September 13–16, 2015, Proceedings, pp. 248–266, (2015)

  5. Bhattacharya, S., Mukhopadhyay, D.: Utilizing performance counters for compromising public key ciphers. ACM Trans. Priv. Secur. 21(1), 51–531 (2018)

    Article  Google Scholar 

  6. Alam, M., Bhattacharya, S., Mukhopadhyay, D., Bhattacharya, S.: Performance counters to rescue: a machine learning based safeguard against micro-architectural side-channel-attacks. IACR Cryptol. ePrint Arch. 2017, 564 (2017)

    Google Scholar 

  7. Alam, M., Bhattacharya, S., Mukhopadhyay, D., Chattopadhyay, A. P.: RAPPER: ransomware prevention via performance counters. CoRR, abs/1802.03909, (2018)

  8. Alam, M., Bhattacharya, S., Dutta, S., Sinha, S., Mukhopadhyay, D., Chattopadhyay, A.: RATAFIA: ransomware analysis using time and frequency informed autoencoders. In: IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2019, McLean, VA, USA, May 5–10, 2019, pp. 218–227, (2019)

  9. Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the sixth ACM workshop on Scalable trusted computing, STC@CCS 2011, Chicago, Illinois, USA, October 17, 2011, pp. 71–76, (2011)

  10. Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S. J.: On the feasibility of online malware detection with performance counters. In: The 40th Annual International Symposium on Computer Architecture, ISCA’13, Tel-Aviv, Israel, June 23-27, 2013, pp. 559–570, (2013)

  11. Wang, X., Karri, R.: Numchecker: detecting kernel control-flow modifying rootkits by using hardware performance counters. In: The 50th Annual Design Automation Conference 2013, DAC ’13, Austin, TX, USA, May 29–June 07, 2013, pp. 79:1–79:7, (2013)

  12. Wang, X., Karri, R.: Reusing hardware performance counters to detect and identify kernel control-flow modifying rootkits. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 35(3), 485–498 (2016)

    Article  Google Scholar 

  13. Gascon, H., Yamaguchi, F., Arp, D., Rieck, K.: Structural detection of android malware using embedded call graphs. In: AISec’13, Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, Co-located with CCS 2013, Berlin, Germany, November 4, 2013, pp. 45–54, (2013)

  14. Tang, A., Sethumadhavan, S., Stolfo, S. J.: Unsupervised anomaly-based malware detection using hardware features. In: Research in Attacks, Intrusions and Defenses–17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings, pp. 109–129, (2014)

  15. Wang, X., Chai, S., Isnardi, M.A., Lim, S., Karri, R.: Hardware performance counter-based malware identification and detection with adaptive compressive sensing. ACM Trans. Architect. Code Optim. 13(1), 3:1–3:23 (2016)

    Google Scholar 

  16. Dou, Y., Zeng, K. C., Yang, Y., Yao, D. D.: Madecr: correlation-based malware detection for cognitive radio. In: 2015 IEEE Conference on Computer Communications, INFOCOM 2015, Kowloon, Hong Kong, April 26–May 1, 2015, pp. 639–647, (2015)

  17. Roy, D.B., Bhasin, S., Patranabis, S., Mukhopadhyay, D., Guilley, S.: What lies ahead: Extending TVLA testing methodology towards success rate. IACR Crypt ePrint Arch. 2016, 1152 (2016)

    Google Scholar 

  18. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, Alexandria, VA, USA, November 7–11, 2005, pp. 340–353, (2005)

  19. Kiriansky, V., Bruening, D., Amarasinghe, S. P.: Secure execution via program shepherding. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002, pp. 191–206, (2002)

  20. Henning, J.L.: SPEC CPU2000: measuring CPU performance in the new millennium. IEEE Comput. 33(7), 28–35 (2000)

    Article  Google Scholar 

  21. De Clercq, R., Verbauwhede, Ingrid.: a survey of hardware-based control flow integrity (CFI). CoRR, abs/1706.07257, (2017)

  22. Roberts, J.-M.: VirusShare, url:https://virusshare.com/

  23. Georgia Tech Information Security Center. Open malware, url:http://www.offensivecomputing.net/

  24. Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Advances in Cryptology–EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings, pp. 19–35, (2005)

  25. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8, 2010, pp. 559–572, (2010)

  26. Qemu, F. B.: A fast and portable dynamic translator. In: Proceedings of the FREENIX Track: 2005 USENIX Annual Technical Conference, April 10–15, 2005, Anaheim, CA, USA, pp. 41–46, (2005)

  27. Guarnieri, C., Tanasi, A., Bremer, J., Schloesser, M.: The cuckoo sandbox, url: https://cuckoosandbox.org/, (2012)

  28. Hara, Y., Tomiyama, H., Honda, S., Takada, H., Ishii, K.: Chstone: a benchmark program suite for practical c-based high-level synthesis. In: International Symposium on Circuits and Systems (ISCAS 2008), 18–21 May 2008, Sheraton Seattle Hotel, Seattle, Washington, USA, pp. 1192–1195, (2008)

  29. Smith, B., Grehan, R., Yager, T.: and DC Niemi. A unix benchmark suite. Technical report, Byte-unixbench, (2011)

  30. McVoy, L. W., Staelin, C.: lmbench: portable tools for performance analysis. In: Proceedings of the USENIX Annual Technical Conference, San Diego, California, USA, January 22–26, 1996, pp. 279–294, (1996)

  31. Guthaus, M. R., Ringenberg, J. S., Ernst, D., Austin, T. M., Mudge, T., Brown, R. B.: Mibench: a free, commercially representative embedded benchmark suite. In: IEEE International Workshop on Workload Characterization, 2001. WWC-4. 2001, pp. 3–14, (2001)

  32. Patel, N., Sasan, A., Homayoun, H.: Analyzing hardware based malware detectors. In: Proceedings of the 54th Annual Design Automation Conference, DAC 2017, Austin, TX, USA, June 18–22, 2017, pp. 25:1–25:6, (2017)

  33. Ozsoy, M., Khasawneh, K.N., Donovick, C., Gorelik, I., Abu-Ghazaleh, N.B., Ponomarev, D.: Hardware-based malware detection using low-level architectural features. IEEE Trans. Comput. 65(11), 3332–3344 (2016)

    Article  MathSciNet  Google Scholar 

  34. Wang, X., Konstantinou, C., Maniatakos, M., Karri, R.: Confirm: Detecting firmware modifications in embedded systems using hardware performance counters. In: Proceedings of the IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015, Austin, TX, USA, November 2–6, 2015, pp. 544–551, (2015)

  35. Elnaggar, R., Chakrabarty, K., Tahoori, M. B.: Run-time hardware trojan detection using performance counters. In: IEEE International Test Conference, ITC 2017, Fort Worth, TX, USA, October 31–Nov 2, 2017, pp. 1–10, (2017)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Manaar Alam.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alam, M., Mukhopadhyay, D., Kadiyala, S.P. et al. Improving accuracy of HPC-based malware classification for embedded platforms using gradient descent optimization. J Cryptogr Eng 10, 289–303 (2020). https://doi.org/10.1007/s13389-020-00232-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-020-00232-9

Keywords

Navigation