Download PDFOpen PDF in browserSide-Channel Assisted Malware Classifier with Gradient Descent Correction for Embedded Platforms15 pages•Published: September 10, 2018AbstractMalware detection is still one of the difficult problems in computer security because of the occurrence of newer varieties of malware programs. There has been an enormous effort in developing a generalised solution to this problem, but a little has been done considering the security of resource constraint embedded devices. In this paper, we at- tempt to develop a lightweight malware detection tool designed specifically for embedded platforms using micro-architectural side-channel information obtained through Hardware Performance Counters (HPCs). The methodology aims to develop a distance metric, called λ, for a given program from a benign set of programs which are expected to execute in the embedded environment. The distance metric is decided based on observations from carefully chosen features, which are tuples of high-level system calls along with low-level HPC events. An ideal λ-value for a malicious program is 1, as opposed to 0 for a benign program. However, in reality, the efficacy of λ to classify a malware largely depends on the proper assignment of weights to the features. We employ a gradient-descent based learning mechanism to determine optimal choices for these weights. We justify through experimental results on an embedded Linux running on an ARM processor that such a side-channel based learning mechanism improves the classification accuracy significantly compared to an ad-hoc selection of the weights, and leads to significantly low false positives and false negatives in all our test cases.Keyphrases: gradient descent algorithm, hardware performance counters, malware analysis, side channels In: Lejla Batina, Ulrich Kühne and Nele Mentens (editors). PROOFS 2018. 7th International Workshop on Security Proofs for Embedded Systems, vol 7, pages 1-15.
|