Improving accuracy of HPC-based malware classification for embedded platforms using gradient descent optimization

  • PDF / 1,189,611 Bytes
  • 15 Pages / 595.276 x 790.866 pts Page_size
  • 81 Downloads / 192 Views

DOWNLOAD

REPORT


REGULAR PAPER

Improving accuracy of HPC-based malware classification for embedded platforms using gradient descent optimization Manaar Alam1

· Debdeep Mukhopadhyay1 · Sai Praveen Kadiyala2 · Siew-Kei Lam2 · Thambipillai Srikanthan2

Received: 31 January 2019 / Accepted: 26 May 2020 © Springer-Verlag GmbH Germany, part of Springer Nature 2020

Abstract Malware detection is still one of the difficult problems in computer security because of the daily occurrences of newer varieties of malware programs. There have been enormous efforts in developing a generalized solution to this critical security aspect, but a little has been done considering the security of resource constraint embedded devices. In this paper, we attempt to develop a lightweight malware detection tool explicitly designed for embedded platforms using micro-architectural side-channel information obtained through Hardware Performance Counters (HPCs) and high-level programs representing Operating System (OS) resources. The methodology uses statistical hypothesis testing, in the form of t-test, to develop a metric, called λ, which indicates a conceptual boundary between the programs which are allowed to run on a given embedded platform, with the codes that are suspected as malwares. The metric is computed based on the observations obtained from carefully chosen features, which are tuples of high-level programs representing OS resources along with low-level HPCs. An ideal λ-value for a malicious program is 1, as opposed to 0 for a benign application. However, in reality, the efficacy of λ to classify a program as malware or benign largely depends on the proper assignment of weights to the tuples. We employ a gradient-descent-based learning mechanism to determine optimal choices for these weights. We present detailed experimental results on an embedded Linux running on an ARM processor which validates that the proposed lightweight side-channel-based learning mechanism improves the classification accuracy significantly compared to an ad-hoc selection of weights leading to significantly low false positives and false negatives in all our test cases. Keywords Malware detection · Hardware performance counters · Embedded system

1 Introduction Embedded systems are of growing importance because of its emerging applications, starting from automotive to Internetof-Things. The embedded processing units are often expected to perform dedicated and limited computations as opposed

B

Manaar Alam alam.manaar@iitkgp.ac.in Debdeep Mukhopadhyay debdeep@cse.iitkgp.ac.in Sai Praveen Kadiyala saipraveen@ntu.edu.sg Siew-Kei Lam siewkei_lam@pmail.ntu.edu.sg Thambipillai Srikanthan ASTSRIKAN@ntu.edu.sg

1

Indian Institute of Technology Kharagpur, Kharagpur, India

2

Nanyang Technological University, Singapore, Singapore

to a general purpose computing platform. These processing units can serve as coveted attack surface for adversaries because of varied reasons such as - they are easily accessible to attackers giving opportunities for physical attacks, embedded operating system