SaTC: CORE: Small: An evaluation framework and methodology to streamline Hardware Performance Counters as the next-generation malware detection system

SaTC：核心：小型：简化硬件性能计数器作为下一代恶意软件检测系统的评估框架和方法

• 批准号: 2327427
• 负责人: Marcus Botacin
• 金额: $ 52.34万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-01-01 至 2026-12-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2327427&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; evaluation; framework

Most Internet users use Antivirus software (AVs) to protect themselves against Malicious Software (malware). However, current AVs still present limitations, such as slowing down the system's regular operation to search for malware. This slowdown often causes users to turn AVs off, thus exposing themselves to risk. To reduce the performance impact, some AVs opt to only partially scan the system. Although it mitigates performance penalties, it exposes users to risks. In this scenario, it is key to develop faster AVs. A promising avenue to develop faster AVs is to move them from software to hardware, such that the AV becomes an integral part of the computer and it scans the system in parallel with its execution. This project investigates what is the best way to design a hardware-based AV. The project’s novelties are (i) a formal methodology to evaluate which parts of the system better indicate the presence of malware; and (ii) the release of a simulation tool to prototype hardware-based AVs in an easy manner. The project's broader significance and importance are (i) to provide scientists with a formal methodology to evaluate hardware AVs; (ii) to provide industry and developers with a prototyping solution to create their AV products; and (iii) to create conditions to protect the society against malware attacks via the next-generation AVs.This project investigates the application of Hardware Performance Counters (HPCs) in the design of AVs. HPC application is investigated from three different aspects: (i) the hypothesis of architectures with an unlimited number of HPCs to attest HPC viability for malware detection and the determination of the minimum number of HPCs required for an actual CPU design; (ii) the investigation on HPC susceptibility to Mimicry attacks via the development of compiler extensions to automatically create code diversity; and (iii) the development of explainable artificial intelligence models to teach humans how attacks are detected at HPC level. The source code for all tools developed in this project is open-source.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

大多数互联网用户使用防病毒软件（AV）来保护自己免受恶意软件（恶意软件）的侵害。然而，目前的AV仍然存在局限性，例如减慢系统搜索恶意软件的常规操作。这种减速通常会导致用户关闭自动驾驶汽车，从而使自己面临风险。为了减少性能影响，一些AV选择仅部分扫描系统。虽然它减轻了性能损失，但它使用户面临风险。在这种情况下，开发更快的AV是关键。开发更快的AV的一个有希望的途径是将它们从软件转移到硬件，这样AV就成为计算机的一个组成部分，它在执行的同时扫描系统。这个项目调查什么是最好的方式来设计一个基于硬件的AV。该项目的新颖之处在于：（i）一种正式的方法，用于评估系统的哪些部分更好地指示恶意软件的存在;以及（ii）发布一种模拟工具，以简单的方式对基于硬件的AV进行原型设计。该项目的更广泛的意义和重要性是（i）为科学家提供评估硬件AV的正式方法;（ii）为行业和开发人员提供创建AV产品的原型解决方案;以及（iii）创造条件，保护社会免受下一代AV的恶意软件攻击。从三个不同的方面研究了HPC的应用：（i）假设HPC的数量不受限制，以证明HPC在恶意软件检测中的可行性，并确定实际CPU设计所需的HPC的最小数量;（ii）通过开发编译器扩展来自动创建代码多样性，以研究HPC对Mimicry攻击的敏感性;以及（iii）开发可解释的人工智能模型，以教人类如何在HPC级别检测攻击。该项目中开发的所有工具的源代码都是开源的。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。