Why We Need a Theory of Maliciousness: Hardware Performance Counters in Security

Botacin, Marcus; Grégio, André

doi:10.1007/978-3-031-22390-7_22

Cited by 6 publications

(3 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Limited dataset: Botacin et al [4] recently discuss about the use of limited dataset to detect microarchitectural attacks and other kind of malwares with ML algorithms. In order to circumvent this issue, we choose to use evasive attacks based on techniques proposed in [27].…”

Section: Discussionmentioning

confidence: 99%

A Hybrid Solution for Constrained Devices to Detect Microarchitectural Attacks

Polychronou

Thevenon

Puys

et al. 2023

2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

We are seeing an increase in cybersecurity attacks on resource-constrained systems such as the Internet of Things (IoT) and Industrial IoT (IIoT) devices. Recently, a new category of attacks has emerged called microarchitectural attacks. It targets hardware units of the system such as the processor or memory and is often complicated if not impossible to remediate since it imposes modifying the hardware. In default of remediation, some solutions propose to detect these attacks. Yet, most of them are not suitable for embedded systems since they are based on complex machine learning algorithms.In this paper, we propose an edge-computing security solution for attack detection that uses a local-remote machine learning implementation to find an equilibrium between accuracy and decision-making latency while addressing the memory, performance, and communication bandwidth constraints of resource-constrained systems. We demonstrate effectiveness in the detection of multiple microarchitectural attacks such as Rowhammer or cache attacks on an embedded device with an accuracy of 98.75% and a FPR near 0%. To limit the overhead on the communication bus, the proposed solution filters 99% of the samples during normal operation.

show abstract

Section: Discussionmentioning

confidence: 99%

A Hybrid Solution for Constrained Devices to Detect Microarchitectural Attacks

Polychronou

Thevenon

Puys

et al. 2023

2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

show abstract

“…Lastly, they illustrated the hardware-based detector's inability to distinguish ransomware embedded in a benign application like Notepad++. In a recent contribution, [55] acknowledged the absence of a perfect malware detector and argued that hardware-based detection is only effective for specific malware types. In particular, [55] propose its effectiveness in identifying attacks exploiting architectural side-effects, citing examples such as RowHammer [56], [57] (detectable through excessive cache flushes [58]), ROP attacks [37] (identified by an abundance of instruction misses [59]), and DirtyCoW [60] (detectable through heightened paging activity).…”

Section: Hardware-based Malware Detectionmentioning

confidence: 99%

“…In a recent contribution, [55] acknowledged the absence of a perfect malware detector and argued that hardware-based detection is only effective for specific malware types. In particular, [55] propose its effectiveness in identifying attacks exploiting architectural side-effects, citing examples such as RowHammer [56], [57] (detectable through excessive cache flushes [58]), ROP attacks [37] (identified by an abundance of instruction misses [59]), and DirtyCoW [60] (detectable through heightened paging activity). The authors also emphasized the necessity for a maliciousness theory to enhance the understanding of malware threats and assess proposed defenses.…”

Section: Hardware-based Malware Detectionmentioning

confidence: 99%

A Survey on Hardware-Based Malware Detection Approaches

Chenet,

Savino,

Di Carlo

2024

IEEE Access

View full text Add to dashboard Cite

This paper delves into the dynamic landscape of computer security, where malware poses a paramount threat. Our focus is a riveting exploration of the recent and promising hardware-based malware detection approach. Leveraging modern processors' hardware performance counters and machine learning prowess, this approach brings forth compelling advantages such as real-time detection, resilience to code variations, minimal performance overhead, protection disablement fortitude, and cost-effectiveness. Navigating through a generic hardware-based detection framework, we meticulously analyze the approach, unraveling the most common methods, algorithms, tools, and datasets that shape its contours. This survey is not only a resource for seasoned experts but also an inviting starting point for those venturing into the field of malware detection. However, challenges emerge on this exciting journey. We grapple with the imperative of accuracy improvements and strategies to address the remaining classification errors. The discussion extends to crafting mixed hardware and software approaches for collaborative efficacy, essential enhancements in hardware monitoring units, and a better understanding of the correlation between hardware events and malware applications.

show abstract