HARDEN: Hardware-Assisted ML-based Anomaly Detection for Cyber Defense

Principal Investigator: Mark Tehanipoor

Sponsor: Silicon Valley Community Foundation

Start Date: September 11, 2019

End Date: September 10, 2021

Amount: $175,000

Abstract

Due to increasing exploitation of security vulnerabilities and newly surfaced attack vectors in networked and IoT systems, there is an urgent need of employing effective security mechanisms that utilize all available and effective system- level hardware, firmware, and software-centric features to build the protection against malicious cyber-threats. We propose to develop HARDEN, a novel hardware-assisted security framework to provide complementary solutions to existing software-centric mechanisms. Our objective is to utilize existing hardware monitors, also known as hardware performance counters, and on-chip sensors for acquiring security critical runtime information from the architectural and micro-architectural-level of abstraction to intelligently assess the integrity of the system’s functionality and security. In modern days, the state-of-the-art processors for both RISC and CISC-architecture families have a number of on- chip monitoring units and sensors. For example, modern Intel processors have several on-chip structures for performance monitoring via micro-architectural events, and multiple on-chip sensors and status registers to monitor both digital and analog runtime activities, such as power supply, temperature, clock jitter, etc. Similarly, a performance monitoring unit (PMU) of an ARM Cortex-A9 processor has 6 event counters that can monitor a total of 58 events. Although such monitoring units (either event monitors or runtime sensors) traditionally focus on processor’s performance, for example, by offering debug accessibility to developers and/or maintaining reliable hardware operations; limited but crucial information can be collected for security analysis. Further, we employ high-accuracy but lightweight machine learning techniques to analyze collected hardware-based runtime signatures to detect anomalies in architecture- and microarchitecture-level from malicious program execution.