PREEMPT: PReempting Malware by Examining Embedded Processor Traces

Anti-virus software (AVS) tools are used to detect Malware in a system. However, software-based AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as Hardware Performance Counters (HPC) have been used for Malware detection. In this paper, we propose PREEMPT, a zero overhead, high-accuracy and low-latency technique to detect Malware by re-purposing the embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for post-silicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the Input/Output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt Malware before it can cause damage. There are many benefits of re-using the ETB for Malware detection. It is difficult to hack into hardware compared to software, and hence, PREEMPT is more robust against attacks than AVS. PREEMPT does not incur performance penalties. Finally, PREEMPT has a high True Positive value of 94% and maintains a low False Positive value of 2%.

[1]  Ítalo S. Cunha,et al.  The Evolution of Bashlite and Mirai IoT Botnets , 2018, 2018 IEEE Symposium on Computers and Communications (ISCC).

[2]  Vijay Varadharajan,et al.  Antivirus security: naked during updates , 2014, Softw. Pract. Exp..

[3]  Smruti R. Sarangi,et al.  Reusing trace buffers to enhance cache performance , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[4]  Nicola Nicolici,et al.  Algorithms for State Restoration and Trace-Signal Selection for Data Acquisition in Silicon Debug , 2009, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[5]  Prabhat Mishra,et al.  RATS: Restoration-Aware Trace Signal Selection for Post-Silicon Validation , 2013, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[6]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Qiang Xu,et al.  Trace signal selection for visibility enhancement in post-silicon validation , 2009, 2009 Design, Automation & Test in Europe Conference & Exhibition.

[8]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[9]  Vijay Janapa Reddi,et al.  Quantifying and improving the efficiency of hardware-based mobile malware detectors , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[10]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[11]  Ramesh Karri,et al.  NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[12]  Gary McGraw,et al.  Attacking Malicious Code: A Report to the Infosec Research Council , 2000, IEEE Software.

[13]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[14]  Ajay Joshi,et al.  Hardware Performance Counters Can Detect Malware: Myth or Fact? , 2018, AsiaCCS.

[15]  David Wentzlaff,et al.  OpenPiton: An Open Source Manycore Research Framework , 2016, ASPLOS.

[16]  J. Hoe,et al.  OpenSPARC : An Open Platform for Hardware Reliability Experimentation , 2008 .

[17]  Sandip Ray,et al.  Efficient trace signal selection using augmentation and ILP techniques , 2014, Fifteenth International Symposium on Quality Electronic Design.

[18]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.