*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Trustworthy and Robust Hardware-based Malware Detection
Committee:
Dr. Mukhopadhyay, Advisor
Dr. Hao, Chair
Dr. Kim
Abstract: The objective of the proposed research is to design a robust and trustworthy Hardware-telemetry based Malware Detector (HMD) that provides the following improvements over the currently used Hardware Performance Counter (HPC) based HMDs: (1) superior predictive performance, (2) robustness against concept drift scenarios and, (3) real-time detection capabilities with interpretable decisions. First, we propose an ensemble-based approach that quantifies the uncertainty in predictions made by Machine Learning (ML) models used in an HMD. We test our approach on two different HMDs proposed in the literature. For the Power-management-based HMD, we show that the proposed uncertainty estimator can detect >90% of unknown workloads. For the HPC-based HMD, we observe high data uncertainty arising from overlapping benign and malware classes, resulting in poor predictive performance. We hypothesize that since the current HMDs focus solely on CPU telemetry, they capture the partial impact of software workloads running on an SoC, resulting in poor predictive performance. Next, we propose XMD, an HMD that operates on an expansive set of telemetry channels extracted from the different subsystems of SoC. Key innovations in XMD are guided by analytical theorems that we have developed by leveraging the concept of manifold hypothesis. XMD improves over currently used HPC-based detectors by 32.91% for the in-distribution test data and by 67.57% for the concept drift test data. While XMD significantly improves the predictive performance and the concept drift robustness over prior HPC-based HMDs, it doesn't provide real-time detection capabilities or interpretability of the decisions. In the next step, we propose to design an intermediate-fusion-based technique that provides real-time detection capabilities with interpretable decisions. We will leverage the interactions between the different hardware telemetry channels to help distinguish a malicious workload from a benign one. Coupled with Task-1 and Task-2, the resulting HMD should provide robust and trustworthy decisions compared to the blackbox predictions of current HPC-based HMDs.
