Actionable Malware Classification in Embedded Environments using Hardware Performance Counters

Martin Rosso, Joost Renes, Nikita Veshchikov, Eduardo Alvarenga, Jerry den Hartog

Research output: Contribution to conferencePoster

115 Downloads (Pure)

Abstract

Widespread use of connected embedded devices as well as the increase of their computational power makes them a desirable target for cyber attacks. Detecting such attacks early allows to stop their propagation and limit their impact. Contrasting previous works aiming to detect attacks using hardware performance counters, we conduct an initial feasibility study on the classification of types of attacks. Classification of an ongoing attack allows to choose a more suitable mitigation against the attack and thus to react to different types of attacks appropriately. During our experiments we collect more than 2.5 million execution traces from real hardware devices to build a simple anomaly classifier. Using decision tree algorithms, we analyzed more than 20 common use cases and the impact of 4 different attacks on the device. Our evaluation shows that hardware performance counters are useful for attack detection as well as for their classification. This technique can be implemented very efficiently with minimal overhead in software or in hardware even on low-end embedded systems.
Original languageEnglish
Publication statusPublished - 12 Dec 2021
EventSPACE 2021: Eleventh International Conference on
Security, Privacy and Applied Cryptographic Engineering
- [Online]
Duration: 10 Dec 202113 Dec 2021
Conference number: 11
https://cse.iitkgp.ac.in/conf/SPACE2021/

Conference

ConferenceSPACE 2021: Eleventh International Conference on
Security, Privacy and Applied Cryptographic Engineering
Abbreviated titleSPACE 2021
Period10/12/2113/12/21
Internet address

Keywords

  • PMU
  • HPC
  • hardware performance counter
  • processor monitoring unit
  • CPU event counter
  • classification

Fingerprint

Dive into the research topics of 'Actionable Malware Classification in Embedded Environments using Hardware Performance Counters'. Together they form a unique fingerprint.

Cite this