Unsupervised Anomaly-based Malware Detection using Hardware Features

Recent works have shown promise in using microarchitectural execution patterns to detect malware programs. These detectors belong to a class of detectors known as signature-based detectors as they catch malware by comparing a program's execution pattern (signature) to execution patterns of known malware programs. In this work, we propose a new class of detectors - anomaly-based hardware malware detectors - that do not require signatures for malware detection, and thus can catch a wider range of malware including potentially novel ones. We use unsupervised machine learning to build profiles of normal program execution based on data from performance counters, and use these profiles to detect significant deviations in program behavior that occur as a result of malware exploitation. We show that real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform can be detected with nearly perfect certainty. We also examine the limits and challenges in implementing this approach in face of a sophisticated adversary attempting to evade anomaly-based detection. The proposed detector is complementary to previously proposed signature-based detectors and can be used together to improve security.Comment: 1 page, Latex; added description for feature selection in Section 4, results unchange

Data analysis strategies for the detection of gravitational waves in non-Gaussian noise

In order to analyze data produced by the kilometer-scale gravitational wave detectors that will begin operation early next century, one needs to develop robust statistical tools capable of extracting weak signals from the detector noise. This noise will likely have non-stationary and non-Gaussian components. To facilitate the construction of robust detection techniques, I present a simple two-component noise model that consists of a background of Gaussian noise as well as stochastic noise bursts. The optimal detection statistic obtained for such a noise model incorporates a natural veto which suppresses spurious events that would be caused by the noise bursts. When two detectors are present, I show that the optimal statistic for the non-Gaussian noise model can be approximated by a simple coincidence detection strategy. For simulated detector noise containing noise bursts, I compare the operating characteristics of (i) a locally optimal detection statistic (which has nearly-optimal behavior for small signal amplitudes) for the non-Gaussian noise model, (ii) a standard coincidence-style detection strategy, and (iii) the optimal statistic for Gaussian noise.Comment: 5 pages RevTeX, 4 figure

Importance Sampling for Objetive Funtion Estimations in Neural Detector Traing Driven by Genetic Algorithms

To train Neural Networks (NNs) in a supervised way, estimations of an objective function must be carried out. The value of this function decreases as the training progresses and so, the number of test observations necessary for an accurate estimation has to be increased. Consequently, the training computational cost is unaffordable for very low objective function value estimations, and the use of Importance Sampling (IS) techniques becomes convenient. The study of three different objective functions is considered, which implies the proposal of estimators of the objective function using IS techniques: the Mean-Square error, the Cross Entropy error and the Misclassification error criteria. The values of these functions are estimated by IS techniques, and the results are used to train NNs by the application of Genetic Algorithms. Results for a binary detection in Gaussian noise are provided. These results show the evolution of the parameters during the training and the performances of the proposed detectors in terms of error probability and Receiver Operating Characteristics curves. At the end of the study, the obtained results justify the convenience of using IS in the training

Time-ordered data simulation and map-making for the PIXIE Fourier transform spectrometer

We develop a time-ordered data simulator and map-maker for the proposed PIXIE Fourier transform spectrometer and use them to investigate the impact of polarization leakage, imperfect collimation, elliptical beams, sub-pixel effects, correlated noise and spectrometer mirror jitter on the PIXIE data analysis. We find that PIXIE is robust to all of these effects, with the exception of mirror jitter which could become the dominant source of noise in the experiment if the jitter is not kept significantly below $0.1\mu m\sqrt{s}$. Source code is available at https://github.com/amaurea/pixie.Comment: 27 pages, 15 figures. Accepted for publication in JCA

Tuning Windowed Chi-Squared Detectors for Sensor Attacks

A model-based windowed chi-squared procedure is proposed for identifying falsified sensor measurements. We employ the widely-used static chi-squared and the dynamic cumulative sum (CUSUM) fault/attack detection procedures as benchmarks to compare the performance of the windowed chi-squared detector. In particular, we characterize the state degradation that a class of attacks can induce to the system while enforcing that the detectors do not raise alarms (zero-alarm attacks). We quantify the advantage of using dynamic detectors (windowed chi-squared and CUSUM detectors), which leverages the history of the state, over a static detector (chi-squared) which uses a single measurement at a time. Simulations using a chemical reactor are presented to illustrate the performance of our tools