TY - JOUR
T1 - Runtime Malware Detection Using Embedded Trace Buffers
AU - Elnaggar, Rana
AU - Basu, Kanad
AU - Chakrabarty, Krishnendu
AU - Karri, Ramesh
N1 - Funding Information:
This work was supported in part by NYU CCS; in part by NYU-AD CCS; and in part by NSF Awards under Grant 1526405, Grant 1513130, and Grant 2011561.
Publisher Copyright:
© 1982-2012 IEEE.
PY - 2022/1/1
Y1 - 2022/1/1
N2 - Anti-virus software (AVS) tools are used to detect malware in a system. However, AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as hardware performance counters have been used for malware detection. In this article, we propose preempts malware by examining embedded processor traces (PREEMPT), a zero overhead, high-accuracy, low-latency technique to detect malware by repurposing embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for postsilicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the input/output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt malware before it causes damage. The benefits of reusing ETB for malware detection include the increased robustness against attacks and no performance penalties. PREEMPT can detect malware on an OpenSPARC T1 core running Linux operating system with a F1-score of 96.6%.
AB - Anti-virus software (AVS) tools are used to detect malware in a system. However, AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as hardware performance counters have been used for malware detection. In this article, we propose preempts malware by examining embedded processor traces (PREEMPT), a zero overhead, high-accuracy, low-latency technique to detect malware by repurposing embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for postsilicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the input/output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt malware before it causes damage. The benefits of reusing ETB for malware detection include the increased robustness against attacks and no performance penalties. PREEMPT can detect malware on an OpenSPARC T1 core running Linux operating system with a F1-score of 96.6%.
KW - Machine learning
KW - System security
KW - System validation
UR - http://www.scopus.com/inward/record.url?scp=85100451296&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85100451296&partnerID=8YFLogxK
U2 - 10.1109/TCAD.2021.3052856
DO - 10.1109/TCAD.2021.3052856
M3 - Article
AN - SCOPUS:85100451296
SN - 0278-0070
VL - 41
SP - 35
EP - 48
JO - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
JF - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
IS - 1
ER -