We aim to improve the efficiency of our previously proposed anti-malware hardware; it is a hardware-implemented malware detection mechanism that uses information inside the processor. We previously evaluated a prototype, but, due to its prototypical nature, there remain limitations, such as only detecting certain behaviors, high power consumption, and a tendency to bloat the training model. In this paper, we propose a circuit and a learning method to achieve high efficiency, low power consumption, and light weight for the model. In considering these three issues, we focus on time-series metadata obtained by transforming the processor information. To improve efficiency, we implement predictive detection to predict the behavior of metadata in the malware detection component. This lets the model detect malware within less than 19% of the number of execution cycles of the conventional method. To reduce power consumption, we implement a sampling circuit that interrupts the input to the detection circuit at regular intervals, reducing the system’s uptime by 99% while maintaining judgment accuracy. Finally, for a light weight, we focus on the training process of the metadata generator based on a machine-learning model. By applying sampling learning and feature dimensionality reduction in the training process, a metadata generator approximately 16% smaller than the previous version is created.
Currently, software implementation is the mainstream approach for anti-malware measures. However, software-based anti-malware measures are difficult to implement in Internet of Things devices with limited hardware resources. To solve this problem, a malware detection mechanism that can be realized with only hardware has been proposed. The hardware mechanism consists of three elements: an access-hit counter, dividers, and a classifier. The classifier is generated by a random forest and uses processor information as feature values. To reduce the hardware scale, a Hit Rate Table (HRTable) is introduced in place of the dividers. We propose methods of reducing the scale of hardware resources and synchronizing the CPU and the malware detection mechanism. This paper implements the proposed mechanism in hardware, simulates it while considering the delay caused by input/output to the HRTable, and evaluates the hardware scale of the proposed mechanism combined with RISC-V on a field-programmable gate array (FPGA).
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.