Award #2327427 - SaTC: CORE: Small: An evaluation framework and methodology to streamline Hardware Performance Counters as the next-generation malware detection system
Most Internet users use Antivirus software (AVs) to protect themselves against Malicious Software (malware). However, current AVs still present limitations, such as slowing down the system’s regular operation to search for malware. This slowdown often causes users to turn AVs off, thus exposing themselves to risk. To reduce the performance impact, some AVs opt to only partially scan the system. Although it mitigates performance penalties, it exposes users to risks. In this scenario, it is key to develop faster AVs. A promising avenue to develop faster AVs is to move them from software to hardware, such that the AV becomes an integral part of the computer and it scans the system in parallel with its execution. This project investigates what is the best way to design a hardware-based AV. The project?s novelties are (i) a formal methodology to evaluate which parts of the system better indicate the presence of malware; and (ii) the release of a simulation tool to prototype hardware-based AVs in an easy manner. The project’s broader significance and importance are (i) to provide scientists with a formal methodology to evaluate hardware AVs; (ii) to provide industry and developers with a prototyping solution to create their AV products; and (iii) to create conditions to protect the society against malware attacks via the next-generation AVs.
This project investigates the application of Hardware Performance Counters (HPCs) in the design of AVs. HPC application is investigated from three different aspects: (i) the hypothesis of architectures with an unlimited number of HPCs to attest HPC viability for malware detection and the determination of the minimum number of HPCs required for an actual CPU design; (ii) the investigation on HPC susceptibility to Mimicry attacks via the development of compiler extensions to automatically create code diversity; and (iii) the development of explainable artificial intelligence models to teach humans how attacks are detected at HPC level. The source code for all tools developed in this project is open-source.