PREEMPT

PReempting malware by examining embedded processor traces

Kanad Basu, Rana Elnaggar, Krishnendu Chakrabarty, Ramesh Karri

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Anti-virus software (AVS) tools are used to detect Malware in a system. However, software-based AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as Hardware Performance Counters (HPC) have been used for Malware detection. In this paper, we propose PREEMPT, a zero overhead, high-accuracy and low-latency technique to detect Malware by re-purposing the embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for post-silicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the Input/Output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt Malware before it can cause damage. There are many benefits of re-using the ETB for Malware detection. It is difficult to hack into hardware compared to software, and hence, PREEMPT is more robust against attacks than AVS. PREEMPT does not incur performance penalties. Finally, PREEMPT has a high True Positive value of 94% and maintains a low False Positive value of 2%.

Original languageEnglish (US)
Title of host publicationProceedings of the 56th Annual Design Automation Conference 2019, DAC 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781450367257
DOIs
StatePublished - Jun 2 2019
Event56th Annual Design Automation Conference, DAC 2019 - Las Vegas, United States
Duration: Jun 2 2019Jun 6 2019

Publication series

NameProceedings - Design Automation Conference
ISSN (Print)0738-100X

Conference

Conference56th Annual Design Automation Conference, DAC 2019
CountryUnited States
CityLas Vegas
Period6/2/196/6/19

Fingerprint

Embedded Processor
Malware
Trace
Virus
Hardware
Software
Computer viruses
Buffer
Attack
Software Tools
False Positive
Vulnerability
Learning systems
Penalty
Latency
Silicon
Machine Learning
High Accuracy
Monitor
Computer systems

ASJC Scopus subject areas

  • Computer Science Applications
  • Control and Systems Engineering
  • Electrical and Electronic Engineering
  • Modeling and Simulation

Cite this

Basu, K., Elnaggar, R., Chakrabarty, K., & Karri, R. (2019). PREEMPT: PReempting malware by examining embedded processor traces. In Proceedings of the 56th Annual Design Automation Conference 2019, DAC 2019 [a166] (Proceedings - Design Automation Conference). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1145/3316781.3317883

PREEMPT : PReempting malware by examining embedded processor traces. / Basu, Kanad; Elnaggar, Rana; Chakrabarty, Krishnendu; Karri, Ramesh.

Proceedings of the 56th Annual Design Automation Conference 2019, DAC 2019. Institute of Electrical and Electronics Engineers Inc., 2019. a166 (Proceedings - Design Automation Conference).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Basu, K, Elnaggar, R, Chakrabarty, K & Karri, R 2019, PREEMPT: PReempting malware by examining embedded processor traces. in Proceedings of the 56th Annual Design Automation Conference 2019, DAC 2019., a166, Proceedings - Design Automation Conference, Institute of Electrical and Electronics Engineers Inc., 56th Annual Design Automation Conference, DAC 2019, Las Vegas, United States, 6/2/19. https://doi.org/10.1145/3316781.3317883
Basu K, Elnaggar R, Chakrabarty K, Karri R. PREEMPT: PReempting malware by examining embedded processor traces. In Proceedings of the 56th Annual Design Automation Conference 2019, DAC 2019. Institute of Electrical and Electronics Engineers Inc. 2019. a166. (Proceedings - Design Automation Conference). https://doi.org/10.1145/3316781.3317883
Basu, Kanad ; Elnaggar, Rana ; Chakrabarty, Krishnendu ; Karri, Ramesh. / PREEMPT : PReempting malware by examining embedded processor traces. Proceedings of the 56th Annual Design Automation Conference 2019, DAC 2019. Institute of Electrical and Electronics Engineers Inc., 2019. (Proceedings - Design Automation Conference).
@inproceedings{36b0ef93cbd440e3a218648e2f2e12d9,
title = "PREEMPT: PReempting malware by examining embedded processor traces",
abstract = "Anti-virus software (AVS) tools are used to detect Malware in a system. However, software-based AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as Hardware Performance Counters (HPC) have been used for Malware detection. In this paper, we propose PREEMPT, a zero overhead, high-accuracy and low-latency technique to detect Malware by re-purposing the embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for post-silicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the Input/Output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt Malware before it can cause damage. There are many benefits of re-using the ETB for Malware detection. It is difficult to hack into hardware compared to software, and hence, PREEMPT is more robust against attacks than AVS. PREEMPT does not incur performance penalties. Finally, PREEMPT has a high True Positive value of 94{\%} and maintains a low False Positive value of 2{\%}.",
author = "Kanad Basu and Rana Elnaggar and Krishnendu Chakrabarty and Ramesh Karri",
year = "2019",
month = "6",
day = "2",
doi = "10.1145/3316781.3317883",
language = "English (US)",
series = "Proceedings - Design Automation Conference",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
booktitle = "Proceedings of the 56th Annual Design Automation Conference 2019, DAC 2019",

}

TY - GEN

T1 - PREEMPT

T2 - PReempting malware by examining embedded processor traces

AU - Basu, Kanad

AU - Elnaggar, Rana

AU - Chakrabarty, Krishnendu

AU - Karri, Ramesh

PY - 2019/6/2

Y1 - 2019/6/2

N2 - Anti-virus software (AVS) tools are used to detect Malware in a system. However, software-based AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as Hardware Performance Counters (HPC) have been used for Malware detection. In this paper, we propose PREEMPT, a zero overhead, high-accuracy and low-latency technique to detect Malware by re-purposing the embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for post-silicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the Input/Output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt Malware before it can cause damage. There are many benefits of re-using the ETB for Malware detection. It is difficult to hack into hardware compared to software, and hence, PREEMPT is more robust against attacks than AVS. PREEMPT does not incur performance penalties. Finally, PREEMPT has a high True Positive value of 94% and maintains a low False Positive value of 2%.

AB - Anti-virus software (AVS) tools are used to detect Malware in a system. However, software-based AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as Hardware Performance Counters (HPC) have been used for Malware detection. In this paper, we propose PREEMPT, a zero overhead, high-accuracy and low-latency technique to detect Malware by re-purposing the embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for post-silicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the Input/Output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt Malware before it can cause damage. There are many benefits of re-using the ETB for Malware detection. It is difficult to hack into hardware compared to software, and hence, PREEMPT is more robust against attacks than AVS. PREEMPT does not incur performance penalties. Finally, PREEMPT has a high True Positive value of 94% and maintains a low False Positive value of 2%.

UR - http://www.scopus.com/inward/record.url?scp=85067795815&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85067795815&partnerID=8YFLogxK

U2 - 10.1145/3316781.3317883

DO - 10.1145/3316781.3317883

M3 - Conference contribution

T3 - Proceedings - Design Automation Conference

BT - Proceedings of the 56th Annual Design Automation Conference 2019, DAC 2019

PB - Institute of Electrical and Electronics Engineers Inc.

ER -