Abstract

In recent years, cyber-attacks have become more sophisticated, posing a serious threat to computer systems. In response, many cybersecurity researchers have gravitated toward dynamic behavioral analysis of software to oppose the ever-evolving malware. Recent studies have shown that low-level hardware information, in the form of hardware events, can be very useful for dynamic behavioral analysis. These events can provide detailed insights into software behavior during its execution, which can be used for many applications such as identifying program bottlenecks, workload characterization, anomaly detection, and malware analysis. Hardware events can be monitored via performance monitoring counters available on most modern processors.

Various tools have been developed to abstract the process of monitoring and collecting the hardware events using performance counters. However, the current design of these tools often comes with inherited drawbacks, such as large performance overhead, slow timer granularity, and intrusive in nature as requiring source code modification, sometimes even requiring a kernel patch. To address these limitations, first, I present an innovative kernel module design to monitor and collect the hardware events in the kernel space. The proposed kernel module reduces the performance overhead incurred by the system calls that are typically used as a means to communicate between the user space and kernel space to collect the performance counter data. By leveraging a kernel high-resolution timer, the kernel module can provide a finer sample granularity than the tools that operate at the user level. Then I present a kernel module-based framework for malware detection using low-level hardware information. The proposed framework has demonstrated the potential to support real-time analysis of programs for cyberattack detection and mitigation. In addition, I discuss further optimization for the anomaly detection framework, including deployment optimization, scalability, and transferability. Overall, the proposed framework demonstrates a strong capability to detect multiple types of malware using low-level hardware information with minimal overhead, while offering scalability to handle large-scale deployment and flexibility to be repurposed for a variety of applications.