Hardware assisted malware detection for embedded systems

Abstract

Malware detection still remains as one of the greatest challenges in computer security due to increasing variants of malicious programs. Despite efforts to develop a generalized solution, little has been done to address the security of resource constrained embedded systems. Software solutions such as anti-virus software typically require high compute power and are not suitable for embedded systems. In addition, they also fail in detecting zero-day malware and are vulnerable to obfuscation. Hardware-based solutions using low-level architectural features, on the other hand, have shown insights in efficiently detecting sophisticated malware. However, state-of-the-art Hardware Performance Counters (HPCs) based malware detection, a popular branch in hardware-based solutions, relies on computationally intensive machine learning models and has not been explored in ARM-based embedded Linux systems. Therefore, in this project, we propose an HPC-based lightweight malware detection tool to serve as the first line of defence against malware. The tool is based on a statistical method to differentiate HPC datasets of two classes; benign and malware. We collect HPC values of carefully selected operating system programs (indicators) when benign or malicious programs are executed on the system. A statistical method is employed to analyse the corresponding HPC datasets, which are then used to train a model. We proceed to run an unknown program and obtain HPC values of the same indicators. These HPC values are analysed statistically to evaluate its similarity to the benign behaviour of the system. A distance metric, λ, is proposed, combining the HPC profiles of the unknown program and the trained model. A large λ value suggests that the unknown program is malicious, or benign otherwise. The efficacy of λ is highly dependent on the selection of HPC events, indicator programs and the set of benign programs that defines the expected behaviour of the system. Hence, we have conducted several experiments to select and validate the aforementioned features. We implemented the proposed malware detection methodology on a NVIDIA® Jetson Xavier™ NX Development Board running embedded Linux on an ARM processor. Benign applications covering four different benchmark suites and over 20 malware applications of different malware types have been used for training and cross-validation. We justify through experimental results that the classification accuracy is improved through proper assignment of weights and selection of features, leading to low false positives and false negatives in our test cases. Last but not least, we propose a real-time malware detection concept which includes actively collecting HPC information and evaluating the λ-value of the system concurrently.