TWC: Small: Collaborative: Practical Hardware-Assisted Always-On Malware Detection

TWC：小型：协作：实用的硬件辅助始终在线恶意软件检测

• 批准号: 1619322
• 负责人: Nael Abu-Ghazaleh
• 金额: $ 22.5万
• 依托单位: University of California-Riverside
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1619322&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; Practical; Hardware

The project explores building support for malware detection in hardware. Malware detection is challenging and resource intensive, as the number and sophistication of malware increases. The resource requirements for malware detection limit its use in practice, leaving malware unchecked on many systems. We use a low level hardware detector to identify malware as a computational anomaly using low level features such as hardware events, instruction mixes and memory address patterns. Once malware is suspected, we inform a higher level software detection or protection mechanism that can focus its resources only on suspected malware. The detector uses low complexity machine learning approaches to classify malware from normal programs using implementations that are feasible in hardware. The project explores countermeasures based on adversarial machine learning to limit attackers trying to evade detection, develops secure integration between the hardware and software detection, and evaluates implementation tradeoffs. The project contributes a new approach to improve the effectiveness of malware detection and to allow systems to be protected continuously without requiring the large resource investment needed by software monitors. The project holds the promise of significantly impacting an area of critical national need to help secure systems against the expanding threats of malware. The principles pursued in the proposal can generalize to different computational environments including mobile phones, clouds, and cyberphysical systems.

该项目探索在硬件中构建对恶意软件检测的支持。 随着恶意软件的数量和复杂性的增加，恶意软件检测具有挑战性并且是资源密集型的。 恶意软件检测的资源要求限制了其在实践中的使用，使恶意软件在许多系统上不受检查。 我们使用一个低级别的硬件检测器来识别恶意软件作为一个计算异常使用低级别的功能，如硬件事件，指令混合和内存地址模式。 一旦怀疑有恶意软件，我们会通知更高级别的软件检测或保护机制，该机制可以将其资源仅集中在可疑的恶意软件上。 该检测器使用低复杂度的机器学习方法，使用硬件中可行的实现将恶意软件与正常程序进行分类。 该项目探索了基于对抗性机器学习的对策，以限制攻击者试图逃避检测，开发硬件和软件检测之间的安全集成，并评估实施权衡。该项目提供了一种新的方法，以提高恶意软件检测的有效性，并允许系统得到持续保护，而不需要软件监视器所需的大量资源投资。 该项目有望显著影响国家关键需求领域，以帮助保护系统免受恶意软件不断扩大的威胁。 该提案中所追求的原则可以推广到不同的计算环境，包括移动的电话、云和网络物理系统。