Hardware performance counters based runtime anomaly detection using SVM

The nature of ever evolving anomalies have become more sophisticated and complex in attacking the defense schemes, thereby leading to serious compromises. Existing software based techniques aim to protect a vulnerable software with another software which is also prone to compromise like obfuscation-based attacks. On the other hand, hardware performance counters offer a robust detection mechanism that is difficult to compromise since it is easier to tamper the software components than hardware features. Hence, in this paper, we propose a hardware-based monitoring method for embedded devices in detecting anomalies using carefully selected low-level hardware features. Next, a support vector machine (SVM) classifier is used to train a model that can detect anomalies based on features obtained from the selected hardware performance counters. Experimental results show that the proposed approach can achieve an accuracy of close to 100% anomaly detection rate while relying only on a single trained model. This approach can be generalized across various platforms.

[1]  Lui Sha,et al.  Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System , 2017, 2017 IEEE/ACM Second International Conference on Internet-of-Things Design and Implementation (IoTDI).

[2]  Fakhroddin Noorbehbahani,et al.  Incremental anomaly-based intrusion detection system using limited labeled data , 2017, 2017 3th International Conference on Web Research (ICWR).

[3]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[4]  Alfredo Cuzzocrea,et al.  Runtime Anomaly Detection in Embedded Systems by Binary Tracing and Hidden Markov Models , 2015, 2015 IEEE 39th Annual Computer Software and Applications Conference.

[5]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[6]  Dongbing Gu,et al.  A Method for Detecting Abnormal Program Behavior on Embedded Devices , 2015, IEEE Transactions on Information Forensics and Security.

[7]  Nael B. Abu-Ghazaleh,et al.  Malware-aware processors: A framework for efficient online malware detection , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[8]  Igor Santos,et al.  Opcode sequences as representation of executables for data-mining-based unknown malware detection , 2013, Inf. Sci..

[9]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[10]  Christopher Krügel,et al.  A quantitative study of accuracy in system call-based malware detection , 2012, ISSTA 2012.

[11]  Mehmet Kayaalp,et al.  Signature-Based Protection from Code Reuse Attacks , 2015, IEEE Transactions on Computers.

[12]  Wei Zhang,et al.  Semantics-Based Online Malware Detection: Towards Efficient Real-Time Protection Against Malware , 2016, IEEE Transactions on Information Forensics and Security.

[13]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[14]  Dipti Srinivasan,et al.  Hardware-assisted malware detection for embedded systems in smart grid , 2015, 2015 IEEE Innovative Smart Grid Technologies - Asia (ISGT ASIA).

[15]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[16]  Daniel Bilar,et al.  Opcodes as predictor for malware , 2007, Int. J. Electron. Secur. Digit. Forensics.

[17]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[18]  Sven Dietrich,et al.  Detecting zero-day attacks using context-aware anomaly detection at the application-layer , 2017, International Journal of Information Security.

[19]  Eric Totel,et al.  Inferring a Distributed Application Behavior Model for Anomaly Based Intrusion Detection , 2016, 2016 12th European Dependable Computing Conference (EDCC).

[20]  Sandeep Ankush Maske,et al.  Advanced anomaly intrusion detection technique for host based system using system call patterns , 2016, 2016 International Conference on Inventive Computation Technologies (ICICT).

[21]  Andrzej Nowak,et al.  The overhead of profiling using PMU hardware counters , 2014 .

[22]  Mario Marchese,et al.  Support Vector Machine Meets Software Defined Networking in IDS Domain , 2017, 2017 29th International Teletraffic Congress (ITC 29).

[23]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[24]  Gerhard Wellein,et al.  Overhead Analysis of Performance Counter Measurements , 2014, 2014 43rd International Conference on Parallel Processing Workshops.

[25]  A. Omar Portillo-Dominguez,et al.  Towards an emulated IoT test environment for anomaly detection using NEMU , 2017, 2017 Global Internet of Things Summit (GIoTS).

[26]  Hessam Kooti,et al.  Hardware-Assisted Detection of Malicious Software in Embedded Systems , 2012, IEEE Embedded Systems Letters.

[27]  Lionel C. Briand,et al.  A scalable approach for malware detection through bounded feature space behavior modeling , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[28]  Luiz Eduardo Soares de Oliveira,et al.  Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems , 2017, IEEE Transactions on Computers.

[29]  Martin Hirzel,et al.  Machine learning in Python with no strings attached , 2019, MAPL@PLDI.

[30]  Jitendra Parmar Data security, intrusion detection, database access control, policy creation and anomaly response systems-A review , 2014, 2014 International Conference on Advances in Engineering & Technology Research (ICAETR - 2014).

[31]  Ramesh Karri,et al.  A high-performance, low-overhead microarchitecture for secure program execution , 2012, 2012 IEEE 30th International Conference on Computer Design (ICCD).

[32]  Mark Stamp,et al.  Opcode graph similarity and metamorphic detection , 2012, Journal in Computer Virology.

[33]  Mansour Sheikhan,et al.  A hybrid intrusion detection architecture for Internet of things , 2016, 2016 8th International Symposium on Telecommunications (IST).

[34]  Lyudmila Sukhostat,et al.  Anomaly detection in network traffic using extreme learning machine , 2016, 2016 IEEE 10th International Conference on Application of Information and Communication Technologies (AICT).

[35]  M. Anandapriya,et al.  Anomaly Based Host Intrusion Detection System using semantic based system call patterns , 2015, 2015 IEEE 9th International Conference on Intelligent Systems and Control (ISCO).

[36]  Mahdi Abadi,et al.  HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition , 2014, 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE).

[37]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[38]  Jiankun Hu,et al.  A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns , 2014, IEEE Transactions on Computers.

[39]  Maha Mdini,et al.  Monitoring the network monitoring system: Anomaly Detection using pattern recognition , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[40]  Yoseba K. Penya,et al.  Idea: Opcode-Sequence-Based Malware Detection , 2010, ESSoS.

[41]  Stefano Zanero,et al.  Detecting Intrusions through System Call Sequence and Argument Analysis , 2010, IEEE Transactions on Dependable and Secure Computing.

[42]  Jassim Happa,et al.  Detecting disguised processes using application-behavior profiling , 2017, 2017 IEEE International Symposium on Technologies for Homeland Security (HST).

[43]  Ramesh Karri,et al.  NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[44]  Hiroyuki Tomiyama,et al.  CHStone: A benchmark program suite for practical C-based high-level synthesis , 2008, 2008 IEEE International Symposium on Circuits and Systems.

[45]  Norman W. Paton,et al.  VESPA: A Benchmark for Vector Spatial Databases , 2000, BNCOD.

[46]  Konrad Rieck,et al.  Structural detection of android malware using embedded call graphs , 2013, AISec.