TWC: Small: Collaborative: Practical Hardware-Assisted Always-On Malware Detection

TWC：小型：协作：实用的硬件辅助始终在线恶意软件检测

• 批准号: 1619322
• 负责人: Nael Abu-Ghazaleh
• 金额: $ 22.5万
• 依托单位: University of California-Riverside
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1619322&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; Practical; Hardware

The project explores building support for malware detection in hardware. Malware detection is challenging and resource intensive, as the number and sophistication of malware increases. The resource requirements for malware detection limit its use in practice, leaving malware unchecked on many systems. We use a low level hardware detector to identify malware as a computational anomaly using low level features such as hardware events, instruction mixes and memory address patterns. Once malware is suspected, we inform a higher level software detection or protection mechanism that can focus its resources only on suspected malware. The detector uses low complexity machine learning approaches to classify malware from normal programs using implementations that are feasible in hardware. The project explores countermeasures based on adversarial machine learning to limit attackers trying to evade detection, develops secure integration between the hardware and software detection, and evaluates implementation tradeoffs. The project contributes a new approach to improve the effectiveness of malware detection and to allow systems to be protected continuously without requiring the large resource investment needed by software monitors. The project holds the promise of significantly impacting an area of critical national need to help secure systems against the expanding threats of malware. The principles pursued in the proposal can generalize to different computational environments including mobile phones, clouds, and cyberphysical systems.

该项目探讨了在硬件中对恶意软件检测的支持。 随着恶意软件的数量和复杂性的增加，恶意软件的检测具有挑战性和资源密集型。 恶意软件检测的资源需求限制了其在实践中的使用，使许多系统未选中恶意软件。 我们使用低级硬件检测器使用低级功能，例如硬件事件，指令混音和内存地址模式，将恶意软件识别为计算异常。 一旦怀疑恶意软件，我们将为更高级别的软件检测或保护机制提供信息，该机制只能将其资源聚焦于可疑的恶意软件。 检测器使用低复杂性的机器学习方法使用硬件可行的实现从普通程序中分类恶意软件。 该项目探讨了基于对抗机器学习的对策，以限制试图逃避检测的攻击者，在硬件和软件检测之间建立安全的集成，并评估实施权衡。该项目为提高恶意软件检测的有效性并允许连续保护系统的有效性做出了新的方法，而无需软件监视器所需的大量资源投资。 该项目具有重大影响国家至关重要的国家需求的希望，以帮助确保系统免受恶意软件威胁的不断扩展。 提案中提出的原则可以推广到不同的计算环境，包括手机，云和网络物理系统。