Location

https://teams.microsoft.com/l/meetup-join/19%3ameeting_YWFmNDJjN2EtMDZmNi00ZWVhLWJjNGItODliOWYyYzBjNzU4%40thread.v2/0?context=%7b%22Tid%22%3a%22482198bb-ae7b-4b25-8b7a-6d7f32faa083%22%2c%22Oid%22%3a%22358a7df8-7dbd-4d22-8dd6-408ae4f65bb7%22%7d
Other/Miscellaneous
Public

Title:  Trustworthy and Robust Hardware-based Malware Detection

Committee: 

Dr. Mukhopadhyay, Advisor   

Dr. Hao, Chair

Dr. Kim

Abstract: The objective of the proposed research is to design a robust and trustworthy Hardware-telemetry based Malware Detector (HMD) that provides the following improvements over the currently used Hardware Performance Counter (HPC) based HMDs: (1) superior predictive performance, (2) robustness against concept drift scenarios and, (3) real-time detection capabilities with interpretable decisions. First, we propose an ensemble-based approach that quantifies the uncertainty in predictions made by Machine Learning (ML) models used in an HMD. We test our approach on two different HMDs proposed in the literature. For the Power-management-based HMD, we show that the proposed uncertainty estimator can detect >90% of unknown workloads. For the HPC-based HMD, we observe high data uncertainty arising from overlapping benign and malware classes, resulting in poor predictive performance. We hypothesize that since the current HMDs focus solely on CPU telemetry, they capture the partial impact of software workloads running on an SoC, resulting in poor predictive performance. Next, we propose XMD, an HMD that operates on an expansive set of telemetry channels extracted from the different subsystems of SoC. Key innovations in XMD are guided by analytical theorems that we have developed by leveraging the concept of manifold hypothesis. XMD improves over currently used HPC-based detectors by 32.91% for the in-distribution test data and by 67.57% for the concept drift test data. While XMD significantly improves the predictive performance and the concept drift robustness over prior HPC-based HMDs, it doesn't provide real-time detection capabilities or interpretability of the decisions. In the next step, we propose to design an intermediate-fusion-based technique that provides real-time detection capabilities with interpretable decisions. We will leverage the interactions between the different hardware telemetry channels to help distinguish a malicious workload from a benign one. Coupled with Task-1 and Task-2, the resulting HMD should provide robust and trustworthy decisions compared to the blackbox predictions of current HPC-based HMDs.