SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security

Das, Sanjeev; Werner, Jan; Antonakakis, Manos; Polychronakis, Michalis; Monrose, Fabian

doi:10.1109/sp.2019.00021

Cited by 112 publications

(77 citation statements)

References 79 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Instead, when using IF with performance metrics (+ coarse-grain power statistics) we observed a high F1-score, with 0 % of FA rate, in the system in idle, HPCG, and QE, while we obtained a poor F1-score for Gromacs and HPL, and a really low F1-score with high FA rate for NPB btC9, and NPB btC16. When looking at the overall F1-score, we obtain a low value of 0.758, which is in line with results in [34], [35], when using tree-based models with performance counters for malware detection (reason why they do not advice this technique for security purposes). Finally, in the case of AE, we obtain poor scores for all benchmarks, except for HPCG, NPB btC9, and NPB btC16, and an overall F1-score of 0.627.…”

Section: B Malware Detection Resultssupporting

confidence: 86%

pAElla: Edge AI-Based Real-Time Malware Detection in Data Centers

Libri

Bartolini

Benini

2020

IEEE Internet Things J.

View full text Add to dashboard Cite

The increasing use of Internet-of-Things (IoT) devices for monitoring a wide spectrum of applications, along with the challenges of "big data" streaming support they often require for data analysis, is nowadays pushing for an increased attention to the emerging edge computing paradigm. In particular, smart approaches to manage and analyze data directly on the network edge, are more and more investigated, and Artificial Intelligence (AI) powered edge computing is envisaged to be a promising direction. In this paper, we focus on Data Centers (DCs) and Supercomputers (SCs), where a new generation of high-resolution monitoring systems is being deployed, opening new opportunities for analysis like anomaly detection and security, but introducing new challenges for handling the vast amount of data it produces. In detail, we report on a novel lightweight and scalable approach to increase the security of DCs / SCs, that involves AI-powered edge computing on high-resolution power consumption. The method -called pAElla -targets real-time Malware Detection (MD), it runs on an out-of-band IoT-based monitoring system for DCs / SCs, and involves Power Spectral Density of power measurements, along with AutoEncoders. Results are promising, with an F1-score close to 1, and a False Alarm and Malware Miss rate close to 0%. We compare our method with State-of-the-Art MD techniques and show that, in the context of DCs / SCs, pAElla can cover a wider range of malware, significantly outperforming SoA approaches in terms of accuracy. Moreover, we propose a methodology for online training suitable for DCs / SCs in production, and release open dataset and code.

show abstract

Section: B Malware Detection Resultssupporting

confidence: 86%

pAElla: Edge AI-Based Real-Time Malware Detection in Data Centers

Libri

Bartolini

Benini

2020

IEEE Internet Things J.

View full text Add to dashboard Cite

show abstract

“…The two comparison papers mentioned above [88,90] point out the weak connection between HPC measurements and the high-level code executed by malware, but the same conclusion can be drawn by side-channel analysis using external hardware. The conclusion is that side-channel analysis is only as strong as the statistical correlation between two separate views: high-level code and low-level hardware.…”

Section: Side-channel Analysismentioning

confidence: 80%

“…Using HPCs to detect malware has been tested by various researchers with inconclusive results. One study [88] showed that while it is possible to use HPCs to detect ROP (return-oriented programming) execution, HPCs are less effective for malware detection. ROP is a common technique used by malware to counter anti-exploit mechanisms, which is based on reusing compiled code that was previously loaded into the victim's RAM.…”

Section: Side-channel Analysismentioning

confidence: 99%

See 1 more Smart Citation

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

et al. 2019

View full text Add to dashboard Cite

ORI OR-MEIR, NIR NISSIM, YUVAL ELOVICI, and LIOR ROKACH, Ben-Gurion University of the Negev, Beer-Sheva, IsraelAlthough malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for-especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based antivirus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.

show abstract

“…Moreover, this technology is used to establish the so-called mobile ad-hoc clouds, which take advantage of unused resources of nearby devices to provide cloud services, such as data and computation offloading. This is also a typical case of IoT environment, where IoT devices communicate with each other on short-distance channels [10].…”

Section: Introductionmentioning

confidence: 99%

Detecting (absent) app-to-app authentication on cross-device short-distance channels

Cristalli

Bruschi

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Short-distance or near-field communication is increasingly used by mobile apps for interacting or exchanging data in a cross-device fashion. In this paper, we identify a security issue, namely crossdevice app-to-app communication hijacking (or CATCH), that affect Android apps using short-distance channels (e.g., Bluetooth and Wi-Fi-Direct). This issue causes unauthenticated or malicious appto-app interactions even when the underlying communication channels are authenticated and secured. In addition to discovering the security issue, we design an algorithm based on data-flow analysis for detecting the presence of CATCH in Android apps. Our algorithm checks if a given app contains an app-to-app authentication scheme, necessary for preventing CATCH. We perform experiments on a set of Android apps and show the CATCH problem is always present on the whole analyzed applications set. We also discuss the impact of the problem in real scenarios by presenting two real case studies. At the end of the paper we reported limitations of our model along with future improvements. CCS CONCEPTS • Security and privacy → Authentication; Mobile and wireless security; Software and application security.

show abstract

SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security

Cited by 112 publications

References 79 publications

pAElla: Edge AI-Based Real-Time Malware Detection in Data Centers

pAElla: Edge AI-Based Real-Time Malware Detection in Data Centers

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

Detecting (absent) app-to-app authentication on cross-device short-distance channels

Contact Info

Product

Resources

About