*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Machine Learning Methodologies for Low-level Hardware-based Malware Detection
Committee:
Dr. Saibal Mukhopadhyay, ECE, Chair, Advisor
Dr. Shimeng Yu, ECE
Dr. Abhijit Chatterjee, ECE
Dr. Arijit Raychowdhury, ECE
Dr. Santosh Pande, CS
Abstract: Malicious software continues to be a pertinent threat to the security of critical infrastructures harboring sensitive information. The abundance in malware samples and the disclosure of newer vulnerability paths for exploitation necessitates intelligent data mining techniques for effective and efficient malware detection and analysis. Software-based methods are suitable for in-depth forensic analysis, but their on-device implementations are slower and resource hungry. Hardware-based approaches are emerging as an alternative against malware threats because of their trustworthiness, difficult evasion, and lower implementation costs. Modern processors have numerous hardware events such as power domains, voltage, frequency, accessible through software interfaces for performance monitoring and debugging. But, these events are not explored for defenses against malware threats. This thesis demonstrates an alternative approach towards malware detection and analysis by leveraging low-level hardware signatures. The proposed research aims to develop machine learning methodology for detecting malware applications, classifying malware family and detecting shellcode exploits from low-level power signatures and electromagnetic emissions. This includes 1) developing a signature based detector by extracting features from DVFS states and using ML model to distinguish malware application from benign. 2) developing ML model operating on frequency and wavelet features to classify malware families using EM emissions. 3) developing an Restricted Boltzmann Machine (RBM) model to detect anomalies in power signatures of malware infected application resulting from shellcode exploits. The experimental results from the proposed ML methodology indicate the existence of a unique correlation between DVFS states and an application, the feasibility of detecting a malware application from benign using DVFS states, classification of detected malware into characteristic family using EM signatures, and identifying anomalies in power signatures to detect shellcode exploits on vulnerable browser applications using energy-based RBM model.
