Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Khasawneh, Khaled N.; Özsoy, Meltem; Donovick, Caleb; Abu-Ghazaleh, Nael; Ponomarev, Dmitry

doi:10.1007/978-3-319-26362-5_1

Cited by 67 publications

(46 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Software schemes [3,13,27,45,52,57] to improve security typically have unacceptably high performance overheads. Hardware schemes [11,23,28,31,32,36,37,47] are slow to react to new attacks, and can be rendered ineffective if limitations in their fixed functionality can be exploited. We want to provide a system that can avoid the shortcomings of each.…”

Section: Requirementsmentioning

confidence: 99%

“…Many existing schemes [28,36,37,47] use a variety of information channels to infer security violations, including performance counters, loads and stores, and instructions committed by the system. Any technique that seeks to implement similar detection algorithms must provide efficient channels for this information.…”

Section: Analysis Channelsmentioning

confidence: 99%

“…Enforcing security properites in hardware is a tempting proposition [11,23,28,31,32,36,37,47]. However, fixedfunction hardware is limited in utility if an attacker can simply change their targets to components without protection, or design software to deliberately circumvent the defences.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

The Guardian Council

Ainsworth

Jones

2020

Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Syste

View full text Add to dashboard Cite

Systems security is becoming more challenging in the face of untrusted programs and system users. Safeguards against attacks currently in use, such as buffer overflows, control-flow integrity, side channels and malware, are limited. Software protection schemes, while flexible, are often too expensive, and hardware schemes, while fast, are too constrained or out-of-date to be practical.We demonstrate the best of both worlds with the Guardian Council, a novel parallel architecture to enforce a wide range of highly customisable and diverse security policies. We leverage heterogeneity and parallelism in the design of our system to perform security enforcement for a large highperformance core on a set of small microcontroller-sized cores. These Guardian Processing Elements (GPEs) are many orders of magnitude more efficient than conventional outof-order superscalar processors, bringing high-performance security at very low power and area overheads. Alongside these highly parallel cores we provide fixed-function logging and communication units, and a powerful programming model, as part of an architecture designed for security.Evaluation on a range of existing hardware and software protection mechanisms, reimplemented on the Guardian Council, demonstrates the flexibility of our approach with negligible overheads, out-performing prior work in the literature. For instance, 4 GPEs can provide forward control-flow integrity with 0% overhead, while 6 GPEs can provide a full shadow stack at only 2%.

show abstract

Section: Requirementsmentioning

confidence: 99%

Section: Analysis Channelsmentioning

confidence: 99%

See 1 more Smart Citation

The Guardian Council

Ainsworth

Jones

2020

Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Syste

View full text Add to dashboard Cite

show abstract

“…Many research works focus on feature extraction for given detection problems: Android applications [11], PDF files [7,35], Windows audit logs [4], portable executable files [19]. In this paper, we do not address feature extraction and we focus on reducing the cost of building a representative labelled dataset with an effective labelling strategy.…”

Section: Fig 2: Sampling Bias Examplementioning

confidence: 99%

“…Supervised learning is adapted to intrusion detection and has been successfully applied to various detection problems: Android applications [11], PDF files [7,35], botnets [2,5], Windows audit logs [4], portable executable files [19]. However, supervised detection models must be trained on representative labelled datasets which are particularly expensive to build in computer security.…”

Section: Introductionmentioning

confidence: 99%

ILAB: An Interactive Labelling Strategy for Intrusion Detection

Beaugnon

Chifflier

Bach

2017

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Acquiring a representative labelled dataset is a hurdle that has to be overcome to learn a supervised detection model. Labelling a dataset is particularly expensive in computer security as expert knowledge is required to perform the annotations. In this paper, we introduce ILAB, a novel interactive labelling strategy that helps experts label large datasets for intrusion detection with a reduced workload. First, we compare ILAB with two state-of-the-art labelling strategies on public labelled datasets and demonstrate it is both an effective and a scalable solution. Second, we show ILAB is workable with a real-world annotation project carried out on a large unlabelled NetFlow dataset originating from a production environment. We provide an open source implementation (https://github.com/ANSSI-FR/SecuML/) to allow security experts to label their own datasets and researchers to compare labelling strategies.

show abstract

Early Detection of Remote Access Trojan by Software Network Behavior

Oya

Omote

2019

Information Security and Cryptology

View full text Add to dashboard Cite

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Cited by 67 publications

References 35 publications

The Guardian Council

The Guardian Council

ILAB: An Interactive Labelling Strategy for Intrusion Detection

Early Detection of Remote Access Trojan by Software Network Behavior

Contact Info

Product

Resources

About