Daniel Koranek scite author profile

The electric power grid underlying our national infrastructure faces various challenges from adversaries that may exploit weaknesses gained through tampering and malicious reverse engineering. In this paper we describe a method for frustrating such adversaries based on polymorphic generation of circuit hardware with specific hiding properties in mind. We introduce component fusion as a technique for generating functionally equivalent variations of target logic that merge and blur the boundary between constituent components. We show how both random and deterministic variation can be combined to produce circuits that are efficient within allowable bounds while driving up cost of malicious tamper efforts.

show abstract

Identification of Return-Oriented Programming Attacks Using RISC-V Instruction Trace Data

Koranek

Graham

Borghetti

et al. 2022

IEEE Access

View full text Add to dashboard Cite

An increasing number of embedded systems include dedicated neural hardware. To benefit from this specialized hardware, deep learning techniques to discover malware on embedded systems are needed. This effort evaluated candidate machine learning detection techniques for distinguishing exploited from nonexploited RISC-V program behavior using execution traces. We first developed a dataset of execution traces containing Return Oriented Programming (ROP) exploitation on the RISC-V Instruction Set Architecture (ISA) and then developed several deep learning bidirectional Long Short-Term Memory (LSTM) models capable of distinguishing exploited traces from non-exploited traces, each using subsets of features from the execution traces. An objective of this effort was to evaluate which features (instruction addresses and immediate values) from an execution trace are application-specific, which features (opcodes and operands) are application-agnostic, and how these subsets of features affect model performance. Applicationagnostic features allow a model to generalize its detection capability to detecting ROP in previously unseen applications. The model using opcode and operand sequences obtained 98.21% cross validation accuracy and 97.94% test accuracy. In contrast, a model using address values obtained 92.79% cross validation accuracy with 99.59% test set accuracy. This research also analyzed whether ROPs exploitation significantly affects branch prediction; experimental evidence suggests that it does. Thus, branch prediction behavior could be a valuable feature in detecting ROPs exploits.

show abstract

Detecting Malware Code as Video With Compressed, Time-Distributed Neural Networks

2020

View full text Add to dashboard Cite

Malware is an ever-present problem in the modern era and while detecting malware with AI has grown as a new field of exploration, current methods are not yet mature enough for widespread adoption in terms of speed and performance. Current methods largely focus on viewing malicious assembly as an image for detection, requiring a large amount of preprocessing and making network architectures inflexible. Preprocessing malware images to one size introduces additional time to predict and makes the task of prediction more difficult. We explore a novel method for transforming executable bytecode into a video rather than an image for classification with deep, time-distributed neural networks, achieving up to 98.74% testing accuracy on 9 classes of malware, and up to 99.36% testing accuracy on a balanced set of malicious vs. benign files. The network could also classify all malware in our dataset for a false positive rate of 13%, and was also found successful in classifying only parts of an input, as well as initial success in a 0-day scenario. The network only uses the executable code and no additional information to make predictions. We then explore methods for pruning and quantizing the network so that it may be more feasible for widespread implementation, including a novel pruning method we call Node-Distance pruning. Our model is found to be competitive to current works while remaining fast, lean and flexible.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Daniel Koranek

Detecting Malicious Assembly with Deep Learning

Deterministic circuit variation for anti-tamper applications

Identification of Return-Oriented Programming Attacks Using RISC-V Instruction Trace Data

Detecting Malware Code as Video With Compressed, Time-Distributed Neural Networks

Contact Info

Product

Resources

About