1 / 48

RHMD: Evasion-Resilient Hardware Malware Detectors

RHMD: Evasion-Resilient Hardware Malware Detectors. Khaled N. Khasawneh *, Nael Abu-Ghazaleh*, Dmitry Ponomarev**, Lei Yu**. University of California, Riverside *, Binghamton University **. Malware is Everywhere!. Malware is Everywhere!. Over 250,000 malware registered every day!.

rwilbanks
Download Presentation

RHMD: Evasion-Resilient Hardware Malware Detectors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RHMD: Evasion-Resilient Hardware Malware Detectors Khaled N. Khasawneh*, Nael Abu-Ghazaleh*, Dmitry Ponomarev**, Lei Yu** University of California, Riverside *, Binghamton University ** MICRO 2017 – Boston, USA, October 2017

  2. Malware is Everywhere!

  3. Malware is Everywhere! Over 250,000 malware registered every day!

  4. Traditional Software Malware Detection • Static malware detection • Search for signatures in the executable • Can detect all known malware with no false alarms • Can be evaded by new malware and polymorphic malware • Dynamic malware detection • Monitors the behavior of the program • Can detect unknown malware • Very high overhead limiting use in practice

  5. Hardware Malware Detectors (HMDs) • Use Machine Learning: detect malware as computational anomaly • Use low-level features collected from the hardware • Can be always-on without adding performance overhead • Many research papers including ISCA’13, HPCA’15 and MICRO’16

  6. Can malware evade HMDs? Paper Contributions Reverse-engineer HMDs Develop evasive malware Evade detection after re-training

  7. Paper Contributions 1- Provably harder to reverse-engineer 2- Robust to evasion Reverse-engineer HMDs • Yes! Using RHMDs Develop evasive malware Evade detection after re-training

  8. Reverse Engineering

  9. How to Reverse Engineer HMDs? • Challenges: • We don’t know the detection period • We don’t know the features used • We don’t know the detection algorithm • Approach: • Train different classifiers • Derive specific parameters as an optimization problem

  10. Reverse Engineering HMDs Attacker Training Data _________________________

  11. Reverse Engineering HMDs Victim HMD Attacker Training Data 10100 Black box output _________________________

  12. Reverse Engineering HMDs Victim HMD Attacker Training Data 10100 Black box output _________________________ Training model Data Labels

  13. Reverse Engineering HMDs Victim HMD Attacker Training Data 10100 Black box output _________________________ Training model Data Labels Reverse-engineered HMD

  14. We Can Guess Detectors Parameters! • Victim HMD parameters: - 10K detection period - Instructions features vector

  15. We Can Guess Detectors Parameters! • Victim HMD parameters: - 10K detection period - Instructions features vector • Guessing detection period: • LR: Logistic Regression • DT: Decision Tree • SVM: Support Vector Machines

  16. We Can Guess Detectors Parameters! • Victim HMD parameters: - 10K detection period - Instructions features vector • Guessing feature vector: • LR: Logistic Regression • DT: Decision Tree • SVM: Support Vector Machines

  17. Reverse Engineering Effectiveness Logistic Regression Neural Networks

  18. Reverse Engineering Effectiveness Current generation of HMDs can be reverse engineered Logistic Regression Neural Networks

  19. Evading HMDs

  20. How to Create Evasive Malware? • Challenges: - We don’t have malware source code - We can’t decompile malware because its obfuscated • Our approach: PIN Dynamic Control Flow Graph

  21. What we Should Add to Evade? • Logistic Regression (LR) • LR is defined by a weight vector θ • Add instructions whose weights are negative

  22. What we Should Add to Evade? • Neural Network (NN) • Collapse the description of the NN into a single vector • Add instructions whose weights are negative

  23. What we Should Add to Evade? Current generation of HMDs are vulnerable to evasion attacks! • Neural Network (NN) • Collapse the description of the NN into a single vector • Add instructions whose weights are negative

  24. Does re-training Help?

  25. Can we Retrain with Samples of Evasive Malware? • Linear Model • Logistic Regression

  26. Can we Retrain with Samples of Evasive Malware? • Linear Model • Logistic Regression • Non-Linear Model • Neural Network

  27. Explaining Retraining Performance Linear Model (LR)

  28. Explaining Retraining Performance Non-Linear Model (NN)

  29. What if we Keep Retraining?

  30. What if we Keep Retraining?

  31. What if we Keep Retraining?

  32. What if we Keep Retraining?

  33. What if we Keep Retraining? Re-training is not a general solution

  34. Can we Build Detectors that Resist Evasion?

  35. Overview of RHMDs RHMD HMD 1 HMD 2 Pool of diverse HMDs . . . HMD n

  36. Overview of RHMDs RHMD HMD 1 HMD 2 Input Output . . . HMD n Selector

  37. Overview of RHMDs Detection period Number of committed instructions 0 … Features vector RHMD HMD 1 HMD 2 Input Output . . . HMD n Selector

  38. Overview of RHMDs Detection period Number of committed instructions 0 … … Features vector RHMD HMD 1 HMD 2 Input Output . . . HMD n Selector

  39. Overview of RHMDs Detection period Number of committed instructions 0 … … … Features vector RHMD HMD 1 HMD 2 Input Output . . . HMD n Selector

  40. Overview of RHMDs Detection period Number of committed instructions 0 … … … Features vector RHMD Diversify by Different: 1- Features 2- Detection periods HMD 1 HMD 2 . . . HMD n Selector

  41. ReverseEngineer RHMDs Randomizing the features (a) Two feature vectors (b) Three feature vectors

  42. Reverse Engineer RHMDs Randomizing the features and detection period (a) Two feature vectors and two periods (b) Three feature vectors and two periods

  43. RHMD is Resilient to Evasion

  44. Hardware Overhead • FPGA prototype on open core (AO486): • RHMD with three detectors: • Area increase 1.72% • Power increase 0.78%

  45. Conclusion • Current generation of HMDs vulnerable to evasion • Developed a methodology to reverse-engineer and evade detectors • Explored Re-training HMDs • Benefit is limited • Developed new class of Evasion-Resilient HMDs • Robust to evasion • Low overhead

  46. Thank you! Questions? RAID 2015 – Kyoto, Japan, November 2015

  47. Can’t Just Randomly Add Instructions

  48. Evasion Overhead

More Related