SaTC: CORE: Small: An evaluation framework and methodology to streamline Hardware Performance Counters as the next-generation malware detection system

SaTC：核心：小型：简化硬件性能计数器作为下一代恶意软件检测系统的评估框架和方法

• 批准号: 2327427
• 负责人: Marcus Botacin
• 金额: $ 52.34万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-01-01 至 2026-12-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2327427&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; evaluation; framework

Most Internet users use Antivirus software (AVs) to protect themselves against Malicious Software (malware). However, current AVs still present limitations, such as slowing down the system's regular operation to search for malware. This slowdown often causes users to turn AVs off, thus exposing themselves to risk. To reduce the performance impact, some AVs opt to only partially scan the system. Although it mitigates performance penalties, it exposes users to risks. In this scenario, it is key to develop faster AVs. A promising avenue to develop faster AVs is to move them from software to hardware, such that the AV becomes an integral part of the computer and it scans the system in parallel with its execution. This project investigates what is the best way to design a hardware-based AV. The project’s novelties are (i) a formal methodology to evaluate which parts of the system better indicate the presence of malware; and (ii) the release of a simulation tool to prototype hardware-based AVs in an easy manner. The project's broader significance and importance are (i) to provide scientists with a formal methodology to evaluate hardware AVs; (ii) to provide industry and developers with a prototyping solution to create their AV products; and (iii) to create conditions to protect the society against malware attacks via the next-generation AVs.This project investigates the application of Hardware Performance Counters (HPCs) in the design of AVs. HPC application is investigated from three different aspects: (i) the hypothesis of architectures with an unlimited number of HPCs to attest HPC viability for malware detection and the determination of the minimum number of HPCs required for an actual CPU design; (ii) the investigation on HPC susceptibility to Mimicry attacks via the development of compiler extensions to automatically create code diversity; and (iii) the development of explainable artificial intelligence models to teach humans how attacks are detected at HPC level. The source code for all tools developed in this project is open-source.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

大多数互联网用户使用防病毒软件（AVS）来保护自己免受恶意软件（恶意软件）的侵害。但是，当前的AV仍然存在限制，例如减慢系统的常规操作以搜索恶意软件。这种放缓通常会导致用户关闭AV，从而使自己面临风险。为了减少性能影响，一些AV选择仅部分扫描系统。尽管它减轻了绩效惩罚，但它使用户面临风险。在这种情况下，开发更快的AV是关键。开发更快的AVS的承诺途径是将它们从软件转移到硬件，以使AV成为计算机不可或缺的一部分，并与执行并行扫描系统。该项目研究了设计基于硬件的AV的最佳方法。该项目的新颖性是（i）一种正式方法，用于评估系统的哪些部分更好地表明了恶意软件的存在； （ii）将模拟工具释放到基于硬件的原型AV中，以一种简单的方式。该项目更广泛的意义和重要性是（i）为科学家提供评估硬件AV的形式方法； （ii）为行业和开发人员提供制作其AV产品的原型解决方案； （iii）创建条件以通过下一代AV保护社会免受恶意软件攻击。本项目研究了硬件性能计数器（HPC）在AVS设计中的应用。从三个不同方面研究了HPC应用：（i）具有无限数量的HPC的体系结构的假设，以证明用于恶意软件检测的HPC生存能力，并确定实际CPU设计所需的最小HPC数量； （ii）通过开发编译器扩展来自动创建代码多样性，对HPC易感性易感性的投资； （iii）开发可解释的人工智能模型，以教导人类如何在HPC级别检测到攻击。该项目中开发的所有工具的源代码都是开源的。该奖项反映了NSF的法定任务，并通过使用基金会的知识分子优点和更广泛的影响标准来评估，被认为是珍贵的支持。