Paper Info
Title
Quantifying and improving the efficiency of hardware-based mobile malware detectors.
Abstract
Hardware-based malware detectors (HMDs) are a key emerging technology to build trustworthy systems, especially mobile platforms. Quantifying the efficacy of HMDs against malicious adversaries is thus an important problem. The challenge lies in that real-world malware adapts to defenses, evades being run in experimental settings, and hides behind benign applications. Thus, realizing the potential of HMDs as a small and battery-efficient line of defense requires a rigorous foundation for evaluating HMDs. We introduce Sherlock---a white-box methodology that quantifies an HMD's ability to detect malware and identify the reason why. Sherlock first deconstructs malware into atomic, orthogonal actions to synthesize a diverse malware suite. Sherlock then drives both malware and benign programs with real user-inputs, and compares their executions to determine an HMD's operating range, i.e., the smallest malware actions an HMD can detect. We show three case studies using Sherlock to not only quantify HMDs' operating ranges but design better detectors. First, using information about concrete malware actions, we build a discrete-wavelet transform based unsupervised HMD that outperforms prior work based on power transforms by 24.7% (AUC metric). Second, training a supervised HMD using Sherlock's diverse malware dataset yields 12.5% better HMDs than past approaches that train on ad-hoc subsets of malware. Finally, Sherlock shows why a malware instance is detectable. This yields a surprising new result---obfuscation techniques used by malware to evade static analyses makes them more detectable using HMDs.
Year
DOI
Venue
2016
10.5555/3195638.3195683
MICRO-49: The 49th Annual IEEE/ACM International Symposium on Microarchitecture Taipei Taiwan October, 2016
Keywords
Field
DocType
hardware-based mobile malware detectors,trustworthy systems,malicious adversaries,battery-efficient line of defense,white-box methodology,malware suite,HMD operating range,malware actions,discrete-wavelet transform based unsupervised HMD,AUC metric,supervised HMD,Sherlock diverse malware dataset,ad-hoc malware subsets
Mobile malware,Suite,Trustworthiness,Computer science,Real-time computing,Memory model,Work stealing,Computer hardware,Malware,Detector
Conference
ISSN
ISBN
Citations 
1072-4451
978-1-4503-4952-9
3
PageRank 
References 
Authors
0.36
18
3
Name
Order
Citations
PageRank
Mikhail Kazdagli1372.96
Vijay Janapa Reddi22931140.26
Mohit Tiwari344523.94