The project explores building support for malware detection in hardware. Malware detection is challenging and resource intensive, as the number and sophistication of malware increases. The resource requirements for malware detection limit its use in practice, leaving malware unchecked on many systems. We use a low level hardware detector to identify malware as a computational anomaly using low level features such as hardware events, instruction mixes and memory address patterns. Once malware is suspected, we inform a higher level software detection or protection mechanism that can focus its resources only on suspected malware. The detector uses low complexity machine learning approaches to classify malware from normal programs using implementations that are feasible in hardware.
The project explores countermeasures based on adversarial machine learning to limit attackers trying to evade detection, develops secure integration between the hardware and software detection, and evaluates implementation tradeoffs. The project contributes a new approach to improve the effectiveness of malware detection and to allow systems to be protected continuously without requiring the large resource investment needed by software monitors. The project holds the promise of significantly impacting an area of critical national need to help secure systems against the expanding threats of malware. The principles pursued in the proposal can generalize to different computational environments including mobile phones, clouds, and cyberphysical systems.
