Towards Early and Robust Behavioral Malware Detectors
Abstract: Enterprises are complex systems and defending them against cyber-attacks is exceptionally challenging. An enterprise network can include hundreds of thousands of devices and new attacks emerge to operate at timescales from milli-seconds to months. Worse, attackers adapt intelligently to proposed defenses. On one hand, behavioral detectors seem essential to stem the tide of new attacks. On the other, evasive attacks have forced enterprises to instead stick with signature- and rule-based techniques that have low false positives, but at the cost of poor detection of new malware.
In this talk, I will discuss our initial work that introduces a new class of behavioral detectors -- specifically, detectors that monitor instruction- and micro-architectural behavior and act as an early warning system. We show that hardware-level detectors are effective in detecting row-hammer, side-channel attacks, and mobile malware. I will then describe a distributed behavioral detector that amplifies weak correlations due to malware propagation in order to weed out false positives from local detectors. Our global detector algorithm is designed to incorporate domain-information cleanly into the analysis pipeline. We demonstrate this versatility using two distinct use-cases: (a) in 5 years of Symantec's malware logs, we reduce false positives from ~1M down to ~110k and raise alerts 345 days (on average) before commercial anti-virus products; and (b) in web-services (based on logs from Yahoo), we detect infected machines in real-time when only ~100 of a potential ~550k client devices are compromised.
About the Speaker:
Mohit Tiwari is an Assistant Professor in ECE at UT Austin, where he joined following a PhD at UC Santa Barbara in 2011 and an NSF post-doc fellowship at UC Berkeley (2011—13). His research has received best paper awards at ASPLOS'15, PACT'09, and HOST'18 (runner-up); IEEE Micro Top Picks in architecture in 2010 and 2014 (Honorable Mention); CSAW best applied cybersecurity paper finalist in 2013 and 2018, NSF CAREER award in 2015, and the Qualcomm Faculty Award in 2017 and 2018.