In this talk, I cover the basic idea of hardware-assisted, two-level architectures for security monitoring and its applications to the malware detection problem. I propose detection triggers involving branch predictor, MMU, memory controller, co-processors, and FPGAs.
Talk presented at the Real Time systems group seminar series at the University of York.
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Hardware-accelerated security monitoring
1. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
Hardware-accelerated security monitoring
Marcus Botacin
1botacin@tamu.edu
marcusbotacin.github.io
Hardware-accelerated security monitoring 1 / 35 YORK
2. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
Who Am I?
Assistant Professor (2022) - Texas A&M University (TAMU), USA
ACES Program Fellowship
PhD. in Computer Science (2021) - Federal University of Paraná (UFPR), Brazil
Thesis: “On the Malware Detection Problem: Challenges and new Approaches”
MSc. in Computer Science (2017) - University of Campinas (UNICAMP), Brazil
Dissertation: “Hardware-Assisted Malware Analysis”
Computer Engineer (2015) - University of Campinas (UNICAMP), Brazil
Final Project: “Malware detection via syscall patterns identification”
Hardware-accelerated security monitoring 2 / 35 YORK
3. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
The Problem
Topics
1 Introduction
The Problem
Solution
2 Signature Matching
HEAVEN
3 HPC Classification
REHAB
4 Packer Identification
SAP
5 Fileless Malware Detection
MINI-ME
6 Function Checking
TERMINATOR
7 Conclusions
Recap & Remarks
Hardware-accelerated security monitoring 3 / 35 YORK
4. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
The Problem
Bottleneck: Real-time monitoring performance penalty
0
50
100
150
200
250
Perl Xalanc Gobmk H264 Namd Mcf
Time
(s)
Benchmark
AV’s Monitoring Performance
Filter AV SSDT AV No AV
Figure: AV Monitoring Performance.
0
50
100
150
200
250
300
perl namd Bzip milc mfc
Execution
Time
(s)
Benchmark
AV scanning overhead
Scan
Baseline
Figure: In-memory AV scans worst-case
and best-case performance penalties.
Hardware-accelerated security monitoring 4 / 35 YORK
5. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
Solution
Topics
1 Introduction
The Problem
Solution
2 Signature Matching
HEAVEN
3 HPC Classification
REHAB
4 Packer Identification
SAP
5 Fileless Malware Detection
MINI-ME
6 Function Checking
TERMINATOR
7 Conclusions
Recap & Remarks
Hardware-accelerated security monitoring 5 / 35 YORK
6. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
Solution
Hardware AV Architecture
2-level Architecture
Do not fully replace AVs, but add effi-
cient matching capabilities to them.
Hardware-accelerated security monitoring 6 / 35 YORK
7. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
Solution
Performance Characterization
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
5 10 15 20 25 30 35 40
CPU
(%)
Time (s)
AV Monitoring Overhead
HEAVEN+AV
AV
No−AV
2-Phase HEAVEN CPU Performance
The inspection phase causes occasional,
and quick bursts of CPU usage. The AV
operating alone incurs a continuous 10%
performance overhead.
Hardware-accelerated security monitoring 7 / 35 YORK
8. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
HEAVEN
Topics
1 Introduction
The Problem
Solution
2 Signature Matching
HEAVEN
3 HPC Classification
REHAB
4 Packer Identification
SAP
5 Fileless Malware Detection
MINI-ME
6 Function Checking
TERMINATOR
7 Conclusions
Recap & Remarks
Hardware-accelerated security monitoring 8 / 35 YORK
10. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
HEAVEN
Branch patterns as signatures
Hardware-accelerated security monitoring 10 / 35 YORK
11. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
HEAVEN
Branch patterns as signatures
Figure: Two-level branch predictor. A
sequence window of taken (1) and not-taken
(0) branches is stored in the Global History
Register (GHR).
0
10
20
30
40
50
60
70
80
90
100
8 16 24 32 40
Percentage
of
signature
collision
in
the
k−bit
space
Branch pattern length (in k bits)
Percentage of signature collision per branch−pattern length (in bits)
Patterns
Figure: Branch patterns coverage.
Hardware-accelerated security monitoring 11 / 35 YORK
12. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
HEAVEN
Hardware AV Architecture
2-level Architecture
Do not fully replace AVs, but add effi-
cient matching capabilities to them.
Hardware-accelerated security monitoring 12 / 35 YORK
13. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
HEAVEN
Performance Characterization
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
5 10 15 20 25 30 35 40
CPU
(%)
Time (s)
AV Monitoring Overhead
HEAVEN+AV
AV
No−AV
2-Phase HEAVEN CPU Performance
The inspection phase causes occasional,
and quick bursts of CPU usage. The AV
operating alone incurs a continuous 10%
performance overhead.
Hardware-accelerated security monitoring 13 / 35 YORK
14. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
REHAB
Topics
1 Introduction
The Problem
Solution
2 Signature Matching
HEAVEN
3 HPC Classification
REHAB
4 Packer Identification
SAP
5 Fileless Malware Detection
MINI-ME
6 Function Checking
TERMINATOR
7 Conclusions
Recap & Remarks
Hardware-accelerated security monitoring 14 / 35 YORK
16. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
REHAB
Profiling-Based AV
1k
10k
100k
1M
10M
0 10 20 30 40 50 60
Classifier Separation
Branch−misses
(#)
Elapsed time (s)
Perf stat branch−miss:
Branch−miss stat comparison between goodware and malware during 60 seconds.
bluetooth−wizard
dpkg−log−summary
3f5b5...f0
3c55...50
Figure: Malware Classification using low
level features.
Figure: REHAB Architecture. CPU’s HPC
data is used as feature for a FPGA-based,
reconfigurable ML classifier updatable via
software.
Hardware-accelerated security monitoring 16 / 35 YORK
17. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
REHAB
Classifiers
b
b
b
O
u
t
p
u
t
X2
X3
X
I
n
p
u
t
X1
W
X
X
+
+
+
B
W3
W2
W1
B1
Figure: SVM.
I
n
p
u
t
W
<
<
0
O
u
t
p
u
t
X1
X2
W1
W2
Figure: Random Forest.
Hidden
Layer
Output
Input
N
e
u
r
o
n
O
u
t
p
u
t
X2
X3
X
I
n
p
u
t
X1
W
X
X
+
+
+
B
W3
W2
W1
B1
𝜑
Figure: MLP.
Hardware-accelerated security monitoring 17 / 35 YORK
18. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
REHAB
AV Checks Cost
Table: Execution Speedup per AV check. Hardware Accelerator is essential for overhead
elimination.
ML algorithm → SVM RF MLP
CPU 220µs 270µs 240µs
FPGA+Comm 124.5ns 111.2ns 158.9ns
Speedup 1.7k× 2.4k× 1.5k×
Hardware-accelerated security monitoring 18 / 35 YORK
19. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
SAP
Topics
1 Introduction
The Problem
Solution
2 Signature Matching
HEAVEN
3 HPC Classification
REHAB
4 Packer Identification
SAP
5 Fileless Malware Detection
MINI-ME
6 Function Checking
TERMINATOR
7 Conclusions
Recap & Remarks
Hardware-accelerated security monitoring 19 / 35 YORK
20. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
SAP
Publication
Figure: Source: https://link.springer.com/article/10.1007/s11416-020-00348-w
Hardware-accelerated security monitoring 20 / 35 YORK
21. Introduction Signature Matching HPC Classification Packer Identification Fileless Malware Detection Function Checking Conclusions
SAP
Architectural Support
Figure: Pipeline Stalls Detection. Figure: MMU Modification.
Hardware-accelerated security monitoring 21 / 35 YORK