Hardware assisted malware detection for embedded systems
Malware detection still remains as one of the greatest challenges in computer security due to increasing variants of malicious programs. Despite efforts to develop a generalized solution, little has been done to address the security of resource constrained embedded systems. Software solutions such a...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
Nanyang Technological University
2021
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/153296 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-153296 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1532962021-11-16T08:39:59Z Hardware assisted malware detection for embedded systems Tee, Willis Teo Kian Lam Siew Kei School of Computer Science and Engineering Cyber Security Research Centre @ NTU (CYSREN) ASSKLam@ntu.edu.sg Engineering::Computer science and engineering Malware detection still remains as one of the greatest challenges in computer security due to increasing variants of malicious programs. Despite efforts to develop a generalized solution, little has been done to address the security of resource constrained embedded systems. Software solutions such as anti-virus software typically require high compute power and are not suitable for embedded systems. In addition, they also fail in detecting zero-day malware and are vulnerable to obfuscation. Hardware-based solutions using low-level architectural features, on the other hand, have shown insights in efficiently detecting sophisticated malware. However, state-of-the-art Hardware Performance Counters (HPCs) based malware detection, a popular branch in hardware-based solutions, relies on computationally intensive machine learning models and has not been explored in ARM-based embedded Linux systems. Therefore, in this project, we propose an HPC-based lightweight malware detection tool to serve as the first line of defence against malware. The tool is based on a statistical method to differentiate HPC datasets of two classes; benign and malware. We collect HPC values of carefully selected operating system programs (indicators) when benign or malicious programs are executed on the system. A statistical method is employed to analyse the corresponding HPC datasets, which are then used to train a model. We proceed to run an unknown program and obtain HPC values of the same indicators. These HPC values are analysed statistically to evaluate its similarity to the benign behaviour of the system. A distance metric, λ, is proposed, combining the HPC profiles of the unknown program and the trained model. A large λ value suggests that the unknown program is malicious, or benign otherwise. The efficacy of λ is highly dependent on the selection of HPC events, indicator programs and the set of benign programs that defines the expected behaviour of the system. Hence, we have conducted several experiments to select and validate the aforementioned features. We implemented the proposed malware detection methodology on a NVIDIA® Jetson Xavier™ NX Development Board running embedded Linux on an ARM processor. Benign applications covering four different benchmark suites and over 20 malware applications of different malware types have been used for training and cross-validation. We justify through experimental results that the classification accuracy is improved through proper assignment of weights and selection of features, leading to low false positives and false negatives in our test cases. Last but not least, we propose a real-time malware detection concept which includes actively collecting HPC information and evaluating the λ-value of the system concurrently. Bachelor of Engineering (Computer Engineering) 2021-11-16T08:18:59Z 2021-11-16T08:18:59Z 2021 Final Year Project (FYP) Tee, W. T. K. (2021). Hardware assisted malware detection for embedded systems. Final Year Project (FYP), Nanyang Technological University, Singapore. https://hdl.handle.net/10356/153296 https://hdl.handle.net/10356/153296 en SCSE20-0743 application/pdf Nanyang Technological University |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering::Computer science and engineering |
| spellingShingle |
Engineering::Computer science and engineering Tee, Willis Teo Kian Hardware assisted malware detection for embedded systems |
| description |
Malware detection still remains as one of the greatest challenges in computer security due to increasing variants of malicious programs. Despite efforts to develop a generalized solution, little has been done to address the security of resource constrained embedded systems. Software solutions such as anti-virus software typically require high compute power and are not suitable for embedded systems. In addition, they also fail in detecting zero-day malware and are vulnerable to obfuscation. Hardware-based solutions using low-level architectural features, on the other hand, have shown insights in efficiently detecting sophisticated malware. However, state-of-the-art Hardware Performance Counters (HPCs) based malware detection, a popular branch in hardware-based solutions, relies on computationally intensive machine learning models and has not been explored in ARM-based embedded Linux systems. Therefore, in this project, we propose an HPC-based lightweight malware detection tool to serve as the first line of defence against malware.
The tool is based on a statistical method to differentiate HPC datasets of two classes; benign and malware. We collect HPC values of carefully selected operating system programs (indicators) when benign or malicious programs are executed on the system. A statistical method is employed to analyse the corresponding HPC datasets, which are then used to train a model. We proceed to run an unknown program and obtain HPC values of the same indicators. These HPC values are analysed statistically to evaluate its similarity to the benign behaviour of the system. A distance metric, λ, is proposed, combining the HPC profiles of the unknown program and the trained model. A large λ value suggests that the unknown program is malicious, or benign otherwise.
The efficacy of λ is highly dependent on the selection of HPC events, indicator programs and the set of benign programs that defines the expected behaviour of the system. Hence, we have conducted several experiments to select and validate the aforementioned features. We implemented the proposed malware detection methodology on a NVIDIA® Jetson Xavier™ NX Development Board running embedded Linux on an ARM processor. Benign applications covering four different benchmark suites and over 20 malware applications of different malware types have been used for training and cross-validation. We justify through experimental results that the classification accuracy is improved through proper assignment of weights and selection of features, leading to low false positives and false negatives in our test cases. Last but not least, we propose a real-time malware detection concept which includes actively collecting HPC information and evaluating the λ-value of the system concurrently. |
| author2 |
Lam Siew Kei |
| author_facet |
Lam Siew Kei Tee, Willis Teo Kian |
| format |
Final Year Project |
| author |
Tee, Willis Teo Kian |
| author_sort |
Tee, Willis Teo Kian |
| title |
Hardware assisted malware detection for embedded systems |
| title_short |
Hardware assisted malware detection for embedded systems |
| title_full |
Hardware assisted malware detection for embedded systems |
| title_fullStr |
Hardware assisted malware detection for embedded systems |
| title_full_unstemmed |
Hardware assisted malware detection for embedded systems |
| title_sort |
hardware assisted malware detection for embedded systems |
| publisher |
Nanyang Technological University |
| publishDate |
2021 |
| url |
https://hdl.handle.net/10356/153296 |
| _version_ |
1718368053795749888 |