in ECE - Mobile/Cloud Computing and Cybersecurity, ECE Spotlight Faculty, ECE Spotlight Graduate Research, ECE Spotlight Student, ECE Spotlight-Research, ENG Spotlight-Research, NEWS, Spotlight Research, Spotlight Student, Students
Malicious software, known as malware, rests at the center of today’s computer security problems. Malware has a variety of behaviors, from sending spam emails to holding a user’s files hostage and demanding a ransom. The latter category is called ransomware, and has recently been the focus of security researchers and practitioners alike. For example, in 2017, the WannaCry ransomware was estimated to have caused $4B in damages by attacking banks, law enforcement offices, and hospitals.
© User: Colin / Wikimedia Commons
To protect computer systems, cyber security researchers have developed various software-based methods for malware analysis and detection. However, they come at a cost: performance degradation of user applications. To reduce this overhead, many solutions propose using Hardware Performance Counters (HPCs), a low-level hardware unit inside of a processor. These solutions claim to analyze the HPC data harvested at the hardware level, and use machine learning (ML) algorithms to detect the malicious behaviors in programs. However, it is difficult to properly identify malicious activity of software applications by analyzing activity at the hardware level, because standard system processes execute the same (or similar) countable behaviors. For example, ransomware and key managers both encrypt files through the same hardware operations. Because of this, there are no distinguishable differences between ransomware and key managers when only analyzing those hardware operations.
Realizing that the correlation between malware and HPC traces does not establish causation, Boston University graduate students Boyou Zhou, Rasoul Jahanshahi and Anmol Gupta, under the supervision of Professors Manuel Egele and Ajay Joshi, evaluated works that propose this HPC-based methodology for malware detection. They found that the conclusions in these works were based on unrealistic assumptions and overly-optimistic settings for the ML algorithms used to process HPC values.
So, to determine if HPCs and ML can be used to detect malware, the group conducted an experiment of running benignware and malware programs, and then collecting and analyzing the HPC values for each program. Connecting 16 AMD machines (provided by BU IT), Egele and Joshi’s team ran the experiments and extracted HPC traces on these bare-metal machines. The experiment revealed that HPC-based malware detection can have a False Discovery Rate (FDR) of more than 15%. In other words, out of the 1,323 executable files in a fresh Windows installation, 198 files would be incorrectly tagged as malware. Additionally, by inoculating Notepad++ with ransomware, the ransomware went undetected when using the HPC-based malware detection approach.
They published their findings in a paper titled “Hardware Performance Counters Can Detect Malware: Myth or Fact?” at the ASIA Conference on Computer Communications Security (ASIACCS) 2018 and received the Best Paper award. In their paper, they argue that security researchers and engineers need to be very careful using HPCs and ML for malware detection, and provide guidelines for optimizing this methodology. These guidelines include running programs on bare-metal machines, using disjoint programs for training and evaluation, and performing 10-fold cross-validation.